[Python-checkins] r58006 - python/trunk/Lib/test/crashers/borrowed_ref_4.py
armin.rigo
python-checkins at python.org
Thu Sep 6 11:30:38 CEST 2007
Author: armin.rigo
Date: Thu Sep 6 11:30:38 2007
New Revision: 58006
Added:
python/trunk/Lib/test/crashers/borrowed_ref_4.py (contents, props changed)
Log:
PyDict_GetItem() returns a borrowed reference.
This attack is against ceval.c:IMPORT_NAME, which calls an
object (__builtin__.__import__) without holding a reference to it.
Added: python/trunk/Lib/test/crashers/borrowed_ref_4.py
==============================================================================
--- (empty file)
+++ python/trunk/Lib/test/crashers/borrowed_ref_4.py Thu Sep 6 11:30:38 2007
@@ -0,0 +1,28 @@
+"""
+PyDict_GetItem() returns a borrowed reference.
+This attack is against ceval.c:IMPORT_NAME, which calls an
+object (__builtin__.__import__) without holding a reference to it.
+"""
+
+import types
+import __builtin__
+
+
+class X(object):
+ def __getattr__(self, name):
+ # this is called with name == '__bases__' by PyObject_IsInstance()
+ # during the unbound method call -- it frees the unbound method
+ # itself before it invokes its im_func.
+ del __builtin__.__import__
+ return ()
+
+pseudoclass = X()
+
+class Y(object):
+ def __call__(self, *args):
+ # 'self' was freed already
+ print self, args
+
+# make an unbound method
+__builtin__.__import__ = types.MethodType(Y(), None, (pseudoclass, str))
+import spam
More information about the Python-checkins
mailing list