Issue 11829: inspect.getattr_static code execution with meta-metaclasses

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/56038

classification

Title:	inspect.getattr_static code execution with meta-metaclasses
Type:	behavior	Stage:	resolved
Components:	Library (Lib)	Versions:	Python 3.2, Python 3.3

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:	michael.foord	Nosy List:	Trundle, michael.foord, ncoghlan, python-dev
Priority:	normal	Keywords:	patch

Created on 2011-04-11 22:46 by Trundle, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
getattr_static_metaclasses.patch	Trundle, 2011-04-11 22:46		review
getattr_static_metaclasses_v2.patch	Trundle, 2011-12-21 21:44		review

Messages (4)
msg133549 - (view)	Author: Andreas Stührk (Trundle) *	Date: 2011-04-11 22:46
The commit for issue #11133 omitted a part of the patch that checked whether the __dict__ attribute of metaclasses are shadowed. That makes it possible to trigger code execution in the case of metaclasses that have metaclasses. Attached is a patch with a test and a fix.
msg149810 - (view)	Author: Michael Foord (michael.foord) *	Date: 2011-12-19 01:28
Andreas, is this still needed and valid?
msg150046 - (view)	Author: Andreas Stührk (Trundle) *	Date: 2011-12-21 21:44
As the test demonstrates, it's still possible to trigger a dynamic lookup without the patch, hence I think this is still needed and valid, yes. I updated the patch to make it reflect the latest committed changes.
msg150060 - (view)	Author: Roundup Robot (python-dev)	Date: 2011-12-22 01:13
New changeset 8f33758df19a by Michael Foord in branch '3.2': Metaclasses with metaclasses with a __dict__ descriptor can no longer trigger code execution with inspect.getattr_static. http://hg.python.org/cpython/rev/8f33758df19a

History
Date	User	Action	Args
2022-04-11 14:57:16	admin	set	github: 56038
2011-12-22 01:13:43	python-dev	set	status: open -> closed nosy: + python-dev messages: + msg150060 resolution: fixed stage: patch review -> resolved
2011-12-21 21:44:08	Trundle	set	files: + getattr_static_metaclasses_v2.patch messages: + msg150046
2011-12-19 01:28:19	michael.foord	set	assignee: michael.foord messages: + msg149810
2011-07-15 18:54:52	pitrou	set	nosy: + ncoghlan stage: patch review
2011-04-11 22:46:41	Trundle	create