Issue1058

classification
Title: Carlo Verre's object.__setattr__ hack allows modification of built in types
Type: security Severity: normal
Components: Core Versions:
Milestone:
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: pjenvey Nosy List: pjenvey, zyasoft
Priority: normal Keywords:

Created on 2008-06-15.03:36:56 by pjenvey, last changed 2008-11-23.06:32:09 by pjenvey.

Messages
msg3288 (view) Author: Philip Jenvey (pjenvey) Date: 2008-06-15.03:36:56 
object.__set/delattr__ allow modification of built in types, this is 
known as the Carlo Verre hack:

Jython 2.3a0+ (trunk:4630:4631M, Jun 14 2008, 20:07:38) 
[Java HotSpot(TM) Client VM (Apple Inc.)] on java1.5.0_13
Type "help", "copyright", "credits" or "license" for more information.
>>> object.__setattr__(str, 'lower', str.upper)
>>> 'dammit Carlo!'.lower()
'DAMMIT CARLO!'

See CPython's typeobject.c:hackfix for how they prevent this

This prevents test_descr.carloverre from passing
msg3541 (view) Author: Jim Baker (zyasoft) Date: 2008-09-13.22:21:29 
__setattr__/__delattr__ should test for a tag interface on derived types
such as a hypothetical PyDerived
msg3563 (view) Author: Jim Baker (zyasoft) Date: 2008-09-14.00:40:14 
As lsoto pointed out on IRC, we already have a builtin flag on the type.
msg3833 (view) Author: Philip Jenvey (pjenvey) Date: 2008-11-23.06:32:08 
fixed in r5611
History
Date User Action Args
2008-11-23 06:32:09pjenveysetstatus: open -> closed
resolution: fixed
messages: + msg3833
2008-11-23 05:13:24pjenveysetassignee: pjenvey
2008-09-14 00:40:14zyasoftsetmessages: + msg3563
2008-09-13 22:21:29zyasoftsetpriority: urgent -> normal
nosy: + zyasoft
messages: + msg3541
2008-06-15 03:36:56pjenveycreate

Supported by Python Software Foundation,
Powered by Roundup