Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

PyDict_GetItem() returns a borrowed reference. 

This attack is against ceval.c:IMPORT_NAME, which calls an
object (__builtin__.__import__) without holding a reference to it.
This commit is contained in:
Armin Rigo 2007-09-06 09:30:38 +00:00
parent bddc3416f8
commit 337841dac7
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Lib/test/crashers/borrowed_ref_4.py Normal file
View File

@ -0,0 +1,28 @@
"""
PyDict_GetItem() returns a borrowed reference.
This attack is against ceval.c:IMPORT_NAME, which calls an
object (__builtin__.__import__) without holding a reference to it.
"""
import types
import __builtin__
class X(object):
def __getattr__(self, name):
# this is called with name == '__bases__' by PyObject_IsInstance()
# during the unbound method call -- it frees the unbound method
# itself before it invokes its im_func.
del __builtin__.__import__
return ()
pseudoclass = X()
class Y(object):
def __call__(self, *args):
# 'self' was freed already
print self, args
# make an unbound method
__builtin__.__import__ = types.MethodType(Y(), None, (pseudoclass, str))
import spam