Untrusted code execution
Jon Ribbens
jon+usenet at unequivocal.co.uk
Tue Apr 5 15:13:07 EDT 2016
On 2016-04-05, Chris Angelico <rosuav at gmail.com> wrote:
> You can also create objects of various types using literal/display
> syntax, and that might let you craft some weird construct that
> effectively access those attributes without actually having an
> attribute that starts with an underscore. (Think of "getattr(x,
> '\x5f_class__')", although obviously it'll take more work than that,
> since getattr itself isn't available.)
Indeed. Although I think it would be safe to add a "proxy" getattr()
to the namespace's __builtins__ that just checked if the first
character of "name" was "_" and if so raised an AttributeError or
somesuch, and otherwise passed straight through to the real getattr(),
e.g.:
def proxy_getattr(obj, name, *args):
if type(name) is str and not name.startswith("_"):
return getattr(obj, name, *args)
raise AttributeError("Not allowed to access private attributes")
More information about the Python-list
mailing list