Message384143
It is possible to access all the frame objects in the interpret without triggering any audit hooks through the use of exceptions. Namely, through the traceback's tb_frame property. Ordinarily one would trigger the "sys._current_frames" or "sys._getframe" event but this code path bypasses those.
There is already precedent for raising events for certain sensitive properties such as `__code__` in funcobject. (through a "object.__getattr__" event) so perhaps this property should be protected in a similar way.
This issue was recently demonstrated in a security competition:
* https://github.com/hstocks/ctf_writeups/blob/master/2020/hxp/audited/README.md
* https://github.com/fab1ano/hxp-ctf-20/blob/master/audited/README.md |
|
Date |
User |
Action |
Args |
2021-01-01 00:16:58 | ammar2 | set | recipients:
+ ammar2, christian.heimes, steve.dower |
2021-01-01 00:16:58 | ammar2 | set | messageid: <1609460218.67.0.01717828776.issue42800@roundup.psfhosted.org> |
2021-01-01 00:16:58 | ammar2 | link | issue42800 messages |
2021-01-01 00:16:58 | ammar2 | create | |
|