[issue11764] inspect.getattr_static code execution w/ class body as non dict
Michael Foord
report at bugs.python.org
Mon Apr 4 22:35:22 CEST 2011
New submission from Michael Foord <michael at voidspace.org.uk>:
In Python 3 a metclass can create a class __dict__ that is not a true dictionary. This can trigger code execution when accessing __dict__ members. getattr_static should not access them directly but do so using dict methods directly for dict subclasses and skipping classes that have non-dicts for __dict__.
The documentation should mention explicitly that the "no code execution" feature of this function is *not* a security feature and should not be relied on for security purposes.
----------
assignee: michael.foord
components: Library (Lib)
messages: 132967
nosy: michael.foord
priority: normal
severity: normal
stage: test needed
status: open
title: inspect.getattr_static code execution w/ class body as non dict
versions: Python 3.2, Python 3.3
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue11764>
_______________________________________
More information about the Python-bugs-list
mailing list