diff --git a/Lib/inspect.py b/Lib/inspect.py index 8b800f42cdf..fc9f6120446 100644 --- a/Lib/inspect.py +++ b/Lib/inspect.py @@ -1186,10 +1186,11 @@ def getattr_static(obj, attr, default=_sentinel): if obj is klass: # for types we check the metaclass too for entry in _static_getmro(type(klass)): - try: - return entry.__dict__[attr] - except KeyError: - pass + if _shadowed_dict(type(entry)) is _sentinel: + try: + return entry.__dict__[attr] + except KeyError: + pass if default is not _sentinel: return default raise AttributeError(attr) diff --git a/Lib/test/test_inspect.py b/Lib/test/test_inspect.py index 17c9f40ee6e..ef0d93944b9 100644 --- a/Lib/test/test_inspect.py +++ b/Lib/test/test_inspect.py @@ -1088,6 +1088,23 @@ class TestGetattrStatic(unittest.TestCase): self.assertIsNot(inspect.getattr_static(sys, "version", sentinel), sentinel) + def test_metaclass_with_metaclass_with_dict_as_property(self): + class MetaMeta(type): + @property + def __dict__(self): + self.executed = True + return dict(spam=42) + + class Meta(type, metaclass=MetaMeta): + executed = False + + class Thing(metaclass=Meta): + pass + + with self.assertRaises(AttributeError): + inspect.getattr_static(Thing, "spam") + self.assertFalse(Thing.executed) + class TestGetGeneratorState(unittest.TestCase): def setUp(self): diff --git a/Misc/NEWS b/Misc/NEWS index c52149760d3..d3587ddfae2 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -422,6 +422,9 @@ Library - Issue #13620: Support for Chrome browser in webbrowser.py Patch contributed by Arnaud Calmettes. +- Issue #11829: Fix code execution holes in inspect.getattr_static for + metaclasses with metaclasses. Patch by Andreas Stührk. + - Issue #12708: Add starmap() and starmap_async() methods (similar to itertools.starmap()) to multiprocessing.Pool. Patch by Hynek Schlawack.