Author daniel.urban
Recipients daniel.urban, michael.foord
Date 2011-02-06.16:30:21
SpamBayes Score 1.8893e-07
Marked as misclassified No
Message-id <>
The documentation of getattr_static says:
"The only known case that can cause getattr_static to trigger code execution, and cause it to return incorrect results (or even break), is where a class uses __slots__ and provides a __dict__ member using a property or descriptor. If you find other cases please report them so they can be fixed or documented."

I'd like to report another case: when an object's __dict__ is an instance of a dict subclass which overrides dict.get:

>>> _sentinel = object()
>>> class MyDict(dict):
...     def get(self, key, default=_sentinel):
...             print('Hello World!') # This code will execute
...             if default is _sentinel:
...                     return super().get(key)
...             else:
...                     return super().get(key, default)
>>> class X:
...     def __init__(self):
...             self.__dict__ = MyDict()
>>> x = X()
>>> inspect.getattr_static(x, 'foo', 0)
Hello World!

(In line 1072. _check_instance calls MyDict.get: instance_dict.get(attr, _sentinel).)
Date User Action Args
2011-02-06 16:30:22daniel.urbansetrecipients: + daniel.urban, michael.foord
2011-02-06 16:30:22daniel.urbansetmessageid: <>
2011-02-06 16:30:21daniel.urbanlinkissue11133 messages
2011-02-06 16:30:21daniel.urbancreate