This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author serhiy.storchaka
Recipients artem.smotrakov, rhettinger, serhiy.storchaka
Date 2016-08-22.05:50:57
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1471845057.47.0.234790649593.issue27826@psf.upfronthosting.co.za>
In-reply-to
Content 
The simplest example:

import marshal
t = [],
t[0].append(t)
b = marshal.dumps(t)
b = bytearray(b)
b[2] = b'<'[0]
marshal.loads(b)

Create a recursive tuple containing a list containing a reference to original tuple. Marshal it and replace TYPE_LIST ('[') by TYPE_SET ('<'). Now marshalled data contains a recursive tuple containing a set containing a reference to original tuple. When a tuple is added to a set, it still is not initialized, and hash is calculated on a uninitialized tuple.

I believe it is not possible to create such structure without hacking marhal data or using C API. And it is hard to protect from such situation in marshal.c.
History
Date User Action Args
2016-08-22 05:50:57serhiy.storchakasetrecipients: + serhiy.storchaka, rhettinger, artem.smotrakov
2016-08-22 05:50:57serhiy.storchakasetmessageid: <1471845057.47.0.234790649593.issue27826@psf.upfronthosting.co.za>
2016-08-22 05:50:57serhiy.storchakalinkissue27826 messages
2016-08-22 05:50:57serhiy.storchakacreate