Bugs item #1153075, was opened at 2005-02-27 15:55
Message generated for change (Comment added) made by jepler
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1153075&group_id=5470
Category: Python Interpreter Core
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Armin Rigo (arigo)
Assigned to: Nobody/Anonymous (nobody)
Summary: PyXxx_Check(x) trusts x->ob_type->tp_mro
Initial Comment:
The functions PyInt_Check(), PyString_Check(),
PyList_Check() etc. are used all over the core to check
which typecasts are safe, from PyObject* to the various
PyXxxObject*.
But the macros themselves are implemented by
inspecting the "tp_mro" tuple of the incoming object's
type. As the latter can be completely controlled by the
user, an object can pretend to inherit from anything and
pass the PyXxx_Check() checks of its choice, even if
its memory layout is actually completely wrong.
See attached example.
----------------------------------------------------------------------
Comment By: Jeff Epler (jepler)
Date: 2005-03-01 13:15
Message:
Logged In: YES
user_id=2772
Not sure if this is relevant, but the example given didn't
crash 2.2:
$ python2.2 bug.py
Traceback (most recent call last):
File "bug.py", line 9, in ?
x = X()
TypeError: dict.__new__(X) is not safe, use object.__new__()
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1153075&group_id=5470
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
