Issue 11764: inspect.getattr_static code execution w/ class body as non dict

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/55973

classification

Title:	inspect.getattr_static code execution w/ class body as non dict
Type:		Stage:	test needed
Components:	Library (Lib)	Versions:	Python 3.2, Python 3.3

process

Status:	closed	Resolution:	not a bug
Dependencies:		Superseder:
Assigned To:	michael.foord	Nosy List:	Trundle, daniel.urban, eric.araujo, michael.foord, ysj.ray
Priority:	normal	Keywords:

Created on 2011-04-04 20:35 by michael.foord, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (4)
msg132967 - (view)	Author: Michael Foord (michael.foord) *	Date: 2011-04-04 20:35
In Python 3 a metclass can create a class __dict__ that is not a true dictionary. This can trigger code execution when accessing __dict__ members. getattr_static should not access them directly but do so using dict methods directly for dict subclasses and skipping classes that have non-dicts for __dict__. The documentation should mention explicitly that the "no code execution" feature of this function is not a security feature and should not be relied on for security purposes.
msg133286 - (view)	Author: Andreas Stührk (Trundle) *	Date: 2011-04-08 01:48
Can you perhaps elaborate on the first part? I really can't see right now how a class __dict__ can be something different from a dictionary. It's true that the class dict can be any mapping while the class is being created, but that's uninteresting for getattr_static as there is no class object yet that one can pass to getattr_static.
msg133321 - (view)	Author: Éric Araujo (eric.araujo) *	Date: 2011-04-08 15:51
Andreas: metaclass.__prepare__ can return any mapping object. See http://docs.python.org/dev/reference/datamodel#customizing-class-creation
msg133323 - (view)	Author: Éric Araujo (eric.araujo) *	Date: 2011-04-08 15:55
I shot too fast, you were right. The mapping returned by __prepare__ is used during class creation, but __dict__ on the instance is a basic dict afterwards (not sure the doc is clear, I tested it in a shell).

History
Date	User	Action	Args
2022-04-11 14:57:15	admin	set	github: 55973
2011-12-19 01:27:07	michael.foord	set	status: open -> closed resolution: not a bug
2011-04-08 16:05:18	daniel.urban	set	nosy: + daniel.urban
2011-04-08 15:55:12	eric.araujo	set	messages: + msg133323
2011-04-08 15:51:02	eric.araujo	set	nosy: + eric.araujo messages: + msg133321
2011-04-08 01:48:45	Trundle	set	messages: + msg133286
2011-04-08 00:18:05	Trundle	set	nosy: + Trundle
2011-04-05 08:16:28	ysj.ray	set	nosy: + ysj.ray
2011-04-04 20:35:20	michael.foord	create