[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
Jon Ribbens
jon+python-dev at unequivocal.co.uk
Fri Apr 8 12:47:16 EDT 2016
On Fri, Apr 08, 2016 at 05:49:12PM +0200, Marcin Kościelnicki wrote:
> On 08/04/16 16:18, Jon Ribbens wrote:
> That one is trivially fixable, but here goes:
>
> async def a():
> global c
> c = b.cr_frame.f_back.f_back.f_back
>
> b = a()
> b.send(None)
> c.f_builtins['print']('broken')
Ah, I've not used Python 3.5, and I can't find any documentation on
this cr_frame business, but I've added cr_frame and f_back to the
disallowed attributes list.
> Also, if the point of giving me a subclass of datetime is to prevent access
> to the actual class, that can be circumvented:
>
> >>> real_datetime = datetime.datetime.mro()[1]
> >>> real_datetime
> <class 'datetime.datetime'>
>
> But I'm not sure what good that is.
It means you can alter the datetime class that is used by the
containing application, which is bad - you could lie to it about
what day it is for example ;-)
I've made it so instead of a direct subclass it now makes an
intermediate subclass which makes mro() return an empty list.
More information about the Python-Dev
mailing list