Author ammar2
Recipients ammar2, christian.heimes, steve.dower
Date 2021-01-01.00:16:58
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
It is possible to access all the frame objects in the interpret without triggering any audit hooks through the use of exceptions. Namely, through the traceback's tb_frame property. Ordinarily one would trigger the "sys._current_frames" or "sys._getframe" event but this code path bypasses those.

There is already precedent for raising events for certain sensitive properties such as `__code__` in funcobject. (through a "object.__getattr__" event) so perhaps this property should be protected in a similar way.

This issue was recently demonstrated in a security competition:
Date User Action Args
2021-01-01 00:16:58ammar2setrecipients: + ammar2, christian.heimes, steve.dower
2021-01-01 00:16:58ammar2setmessageid: <>
2021-01-01 00:16:58ammar2linkissue42800 messages
2021-01-01 00:16:58ammar2create