Message 228159 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	gvanrossum
Recipients	Antony.Lee, Jim.Jewett, Trundle, Yury.Selivanov, barry, benjamin.peterson, cvrebert, daniel.urban, eric.araujo, ethan.furman, gcbirzan, gvanrossum, jamesh, jwilk, ncoghlan, pitrou, yorik.sar
Date	2014-10-02.05:10:06
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<CAP7+vJLYf_T4_NB0ej6t9HTTsy_jVRR_MvOjcQ+aG2-zOAffxg@mail.gmail.com>
In-reply-to	<1412225585.01.0.470072737898.issue12029@psf.upfronthosting.co.za>

Content
ISTM Nick meant that the exception that was raised can't cause arbitrary code execution. On Wednesday, October 1, 2014, Antony Lee <report@bugs.python.org> wrote: > > Antony Lee added the comment: > > "it looks like all the avenues for arbitrary code execution while checking > if an exception handler matches a thrown an exception are closed off." > > This seems to be directly contradicted by your previous sentence: "the > except clause accepts any expressions producing a tuple or BaseException > instance". > > e.g. > > === > > >>> def f(): raise AttributeError > ... > >>> try: raise IndexError > ... except f(): raise KeyError > ... > Traceback (most recent call last): > File "<stdin>", line 1, in <module> > IndexError > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File "<stdin>", line 2, in <module> > File "<stdin>", line 1, in f > AttributeError > > === > > (note that f() is evaluated only if the body of "try" actually raises) > > ---------- > nosy: +Antony.Lee > > _______________________________________ > Python tracker <report@bugs.python.org <javascript:;>> > <http://bugs.python.org/issue12029> > _______________________________________ >

ISTM Nick meant that the exception that was raised can't cause arbitrary
code execution.

On Wednesday, October 1, 2014, Antony Lee <report@bugs.python.org> wrote:

>
> Antony Lee added the comment:
>
> "it looks like all the avenues for arbitrary code execution while checking
> if an exception handler matches a thrown an exception are closed off."
>
> This seems to be directly contradicted by your previous sentence: "the
> except clause accepts any expressions producing a tuple or BaseException
> instance".
>
> e.g.
>
> ===
>
> >>> def f(): raise AttributeError
> ...
> >>> try: raise IndexError
> ... except f(): raise KeyError
> ...
> Traceback (most recent call last):
>   File "<stdin>", line 1, in <module>
> IndexError
>
> During handling of the above exception, another exception occurred:
>
> Traceback (most recent call last):
>   File "<stdin>", line 2, in <module>
>   File "<stdin>", line 1, in f
> AttributeError
>
> ===
>
> (note that f() is evaluated only if the body of "try" actually raises)
>
> ----------
> nosy: +Antony.Lee
>
> _______________________________________
> Python tracker <report@bugs.python.org <javascript:;>>
> <http://bugs.python.org/issue12029>
> _______________________________________
>

History
Date	User	Action	Args
2014-10-02 05:10:07	gvanrossum	set	recipients: + gvanrossum, barry, jamesh, ncoghlan, pitrou, benjamin.peterson, jwilk, eric.araujo, Trundle, cvrebert, daniel.urban, yorik.sar, ethan.furman, Yury.Selivanov, Jim.Jewett, gcbirzan, Antony.Lee
2014-10-02 05:10:07	gvanrossum	link	issue12029 messages
2014-10-02 05:10:06	gvanrossum	create