[Python-Dev] Evil setattr hack

[Guido van Rossum]

> Guido van Rossum <guido@python.org> writes:
> 
> > Someone accidentally discovered a way to set attributes of built-in
> > types, even though the implementation tries to prevent this.
> 
> [snip]
> 
> > What to do about this?

Michael Hudson:
> Well, one approach would be special cases in PyObject_GenericSetAttr,
> I guess.

That's not quite enough, because PyObject_GenericSetAttr also gets
called by code that should be allowed; I don't want to move all of the
special processing from type_setattro() to PyObject_GenericSetAttr.

But, having thought some more about this, I think adding a check to
wrap_setattr() might be the thing to do.  That gets called when you
call object.__setattr__(x, "foo", value), but not when you do
x.foo = value, so it's okay if it slows it down a tad.

The test should make sure that self->ob_type->tp_setattro equals func,
or something like that (haven't thought enough about the exact test
which allows calling object.__setattr__ from a subclass that extends
__setattr__ but not in the offending case).

--Guido van Rossum (home page: http://www.python.org/~guido/)