[issue11133] inspect.getattr_static code execution

Michael Foord added the comment: Thanks Daniel (and sorry Andreas). Benjamin Peterson has fixed this. -- ___ Python tracker ___ ___ P

[issue11133] inspect.getattr_static code execution

Roundup Robot added the comment: New changeset 382cb3386d57 by Benjamin Peterson in branch '3.2': correct patch ack (#11133) http://hg.python.org/cpython/rev/382cb3386d57 -- ___ Python tracker

[issue11133] inspect.getattr_static code execution

Daniel Urban added the comment: The new entry in Misc/NEWS says: "Patch by Daniel Urban." But it wasn't me, who made the patch, I just opened the issue. -- ___ Python tracker _

[issue11133] inspect.getattr_static code execution

Roundup Robot added the comment: New changeset 8c7eac34f7bf by Michael Foord in branch '3.2': Closes issue 11133. Fixes two cases where inspect.getattr_static could trigger code execution http://hg.python.org/cpython/rev/8c7eac34f7bf -- nosy: +python-dev resolution: -> fixed stage: -

[issue11133] inspect.getattr_static code execution

Andreas Stührk added the comment: Updated patch. -- Added file: http://bugs.python.org/file20830/inspect_issue_11133_v2.patch ___ Python tracker ___

[issue11133] inspect.getattr_static code execution

Andreas Stührk added the comment: > The patch is not sufficient - instances may have a class member "__dict__" > whilst still having an instance __dict__. Sure, but I don't think there is a way how you can access the instance __dict__ in that case inside Python code. At least I can't think of

[issue11133] inspect.getattr_static code execution

Michael Foord added the comment: __dict__ as a property is documented as an exception to the "no code execution" claim. The patch is not sufficient - instances may have a class member "__dict__" whilst still having an instance __dict__. Alternatively the "__dict__" property may be provided b

[issue11133] inspect.getattr_static code execution

Andreas Stührk added the comment: Attached is a patch that fixes the issue: The dict methods are now used directly and before every access to an instance's "__dict__" attribute, it is checked that that attribute is really the instance's attribute and not a class attribute of the instance's ty

[issue11133] inspect.getattr_static code execution

Florian Mayer added the comment: Apparently another way to get getattr_static to execute code in Python 2.3rc3 is simply the following. >>> class Foo: ... @property ... def __dict__(self): ... print("Hello, World.") ... return {} ... >>> import inspect >>> inspect.geta

[issue11133] inspect.getattr_static code execution

Changes by Michael Foord : -- assignee: -> michael.foord ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http:

[issue11133] inspect.getattr_static code execution

Michael Foord added the comment: The fix is to use dict methods rather than accessing members through the instance. It will have to wait until 3.2 is out now though. -- ___ Python tracker

[issue11133] inspect.getattr_static code execution

New submission from Daniel Urban : The documentation of getattr_static says: "The only known case that can cause getattr_static to trigger code execution, and cause it to return incorrect results (or even break), is where a class uses __slots__ and provides a __dict__ member using a property or