Message 82439 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	amaury.forgeotdarc
Recipients	amaury.forgeotdarc, benjamin.peterson, jwp
Date	2009-02-18.22:51:06
SpamBayes Score	9.920188e-06
Marked as misclassified	No
Message-id	<1234997468.76.0.386676067446.issue5283@psf.upfronthosting.co.za>
In-reply-to

Content
I carefully looked at all places that store ->ob_type or Py_TYPE() in a local variable, and I could not find any exploit. Most places don't reuse the type once the method or the slot has been called. Two places were harder to analyze: subtype_clear (but an attack would use __del__, and use a reference cycle: subtype_clear is never called in this case) and PyObject_Generic(Get\|Set)Attr (the only escape path to python code could be through PyType_Ready; but it has already been called for heap types)

I carefully looked at all places that store ->ob_type or Py_TYPE() in a 
local variable, and I could not find any exploit. Most places don't 
reuse the type once the method or the slot has been called.

Two places were harder to analyze: subtype_clear (but an attack would 
use __del__, and use a reference cycle: subtype_clear is never called in 
this case) and PyObject_Generic(Get|Set)Attr (the only escape path to 
python code could be through PyType_Ready; but it has already been 
called for heap types)

History
Date	User	Action	Args
2009-02-18 22:51:08	amaury.forgeotdarc	set	recipients: + amaury.forgeotdarc, benjamin.peterson, jwp
2009-02-18 22:51:08	amaury.forgeotdarc	set	messageid: <1234997468.76.0.386676067446.issue5283@psf.upfronthosting.co.za>
2009-02-18 22:51:06	amaury.forgeotdarc	link	issue5283 messages
2009-02-18 22:51:06	amaury.forgeotdarc	create