New submission from Michael Foord <mich...@voidspace.org.uk>: In Python 3 a metclass can create a class __dict__ that is not a true dictionary. This can trigger code execution when accessing __dict__ members. getattr_static should not access them directly but do so using dict methods directly for dict subclasses and skipping classes that have non-dicts for __dict__.
The documentation should mention explicitly that the "no code execution" feature of this function is *not* a security feature and should not be relied on for security purposes. ---------- assignee: michael.foord components: Library (Lib) messages: 132967 nosy: michael.foord priority: normal severity: normal stage: test needed status: open title: inspect.getattr_static code execution w/ class body as non dict versions: Python 3.2, Python 3.3 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue11764> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
