classification
Title: Code execution without calling it
Type: behavior Stage: resolved
Components: Versions: Python 3.7
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: Emilio López Arias, SilentGhost
Priority: normal Keywords:

Created on 2019-06-26 18:57 by Emilio López Arias, last changed 2019-06-26 19:12 by SilentGhost. This issue is now closed.

Messages (5)
msg346661 - (view) Author: Emilio López Arias (Emilio López Arias) Date: 2019-06-26 18:57
Create a new python file: example.py
------------------------------------
def my_decorator(f):
	print("before")
	f()
	print("after")


@my_decorator
def my_function():
	print("hello world")
------------------------------------

If you execute the file example.py you should see some output you shouldn't:
(base) C:\Users\emilio\curso_python>python --version
Python 3.7.3
(base) C:\Users\emilio\curso_python>python ejemplo.py
before
hello world
after
msg346663 - (view) Author: SilentGhost (SilentGhost) * (Python triager) Date: 2019-06-26 19:05
It seems you're misunderstanding mechanics of decorators. Decorator is called when @decorator statement is executed and in that function *you* are calling the wrapped function. There are tutorials available on how to use this feature, I'd suggest you try them.
msg346665 - (view) Author: Emilio López Arias (Emilio López Arias) Date: 2019-06-26 19:07
why the code is executed?
I could do a library or a package and include evil code instead of a
print...

El mié., 26 jun. 2019 a las 21:05, SilentGhost (<report@bugs.python.org>)
escribió:

>
> SilentGhost <ghost.adh@runbox.com> added the comment:
>
> It seems you're misunderstanding mechanics of decorators. Decorator is
> called when @decorator statement is executed and in that function *you* are
> calling the wrapped function. There are tutorials available on how to use
> this feature, I'd suggest you try them.
>
> ----------
> nosy: +SilentGhost
> resolution:  -> not a bug
> stage:  -> resolved
> status: open -> closed
> type: security -> behavior
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <https://bugs.python.org/issue37418>
> _______________________________________
>
msg346666 - (view) Author: Paul Ganssle (p-ganssle) * (Python committer) Date: 2019-06-26 19:11
> why the code is executed?
> I could do a library or a package and include evil code instead of a
> print...

The code is executed because the decorator syntax

    @decorator
    def f():
       ...

Is equivalent to

    def f():
       ...

    f = decorator(f)

So you are indeed calling the `decorator` function.

It is true that you could put evil code in the decorator function, but it's also true that you can execute evil code directly in the Python function as well, e.g.:

    execute_evil_code()

    def f():
        ...

Importing such a package would call `execute_evil_code()`.
msg346667 - (view) Author: SilentGhost (SilentGhost) * (Python triager) Date: 2019-06-26 19:12
The whole file is executed on import, you might as well have taken the "evil" code and placed in the global scope and not in the function. If you want to learn how to use decorators, again I suggest following a tutorial, SO or python-help. This is not a security issue.
History
Date User Action Args
2019-06-26 19:12:30SilentGhostsetmessages: + msg346667
2019-06-26 19:11:30p-gansslesetnosy: - p-ganssle
2019-06-26 19:11:21p-gansslesetnosy: + p-ganssle
messages: + msg346666
2019-06-26 19:07:15Emilio López Ariassetmessages: + msg346665
2019-06-26 19:05:18SilentGhostsetstatus: open -> closed

type: security -> behavior

nosy: + SilentGhost
messages: + msg346663
resolution: not a bug
stage: resolved
2019-06-26 18:57:03Emilio López Ariascreate