Issue 1075356: exceeding obscure weakproxy bug (original) (raw)

Issue1075356

Created on 2004-11-29 16:10 by mwh, last changed 2022-04-11 14:56 by admin.

Files
File name Uploaded Description Edit
issue1075356.patch mrabarnett,2012-12-19 22:53
Messages (6)
msg60608 - (view) Author: Michael Hudson (mwh) (Python committer) Date: 2004-11-29 16:10
Broadly speaking, this line (488 in today's CVS) in Python/weakref.c isn't right: WRAP_UNARY(proxy_int, PyNumber_Int) because PyNumber_Int will convert from a string argument. You can "exploit" this like so: class U(unicode): pass u = U("1") try: range(u) except TypeError: print "raised, good" else: print "didn't raise, bad" import _weakref try: range(_weakref.proxy(u)) except TypeError: print "raised, good" else: print "didn't raise, bad" (prints raised, good didn't raise, bad for me). I think the fix is PyNumber_Int -> PyInt_AsLong, but haven't checked that.
msg82168 - (view) Author: Daniel Diniz (ajaksu2) * (Python triager) Date: 2009-02-15 20:41
Confirmed with rev69546.
msg125274 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-01-04 01:30
Works fine under 3.x.
msg125337 - (view) Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) * (Python committer) Date: 2011-01-04 16:24
It's not fixed. range() now uses the tp_index slot, in weakrefs this becomes: WRAP_UNARY(proxy_index, PyNumber_Index) and indeed PyNumber_Index does not accept strings. But try with time.sleep() instead; here the line WRAP_UNARY(proxy_float, PyNumber_Float) is involved: import _weakref, time class U(str): pass u = U("1") try: time.sleep(u) except TypeError: print("raised, good") else: print("didn't raise, bad") try: time.sleep(_weakref.proxy(u)) except TypeError: print("raised, good") else: print("didn't raise, bad")
msg126916 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2011-01-24 05:07
I find this problem with 3.x and not with 2.x codeline
msg177789 - (view) Author: Matthew Barnett (mrabarnett) * (Python triager) Date: 2012-12-19 22:53
The patch ".patch" is my attempt to fix this bug. 'PyArg_ParseTuple', etc, eventually call 'convertsimple'. What this patch does is to insert some code at the start of 'convertsimple' that checks whether the argument is a weakref proxy and, if it is, fetch the object to which the proxy refers. From then on it's working with the true argument, so it'll work just like would have done if it been given the proxied object itself originally.
History
Date User Action Args
2022-04-11 14:56:08 admin set github: 41243
2012-12-19 22:53:19 mrabarnett set files: + issue1075356.patchversions: + Python 3.3nosy: + mrabarnettmessages: + keywords: + patch
2012-12-01 00:14:51 bruno.dupuis set nosy: + bruno.dupuis
2011-01-24 05:07:00 orsenthil set nosy: + orsenthilmessages: + versions: + Python 3.1, Python 3.2, - Python 2.7
2011-01-04 16:24:07 amaury.forgeotdarc set nosy: + amaury.forgeotdarcmessages: +
2011-01-04 01:30:59 pitrou set versions: - Python 3.1, Python 3.2nosy: + pitroumessages: + stage: test needed -> needs patch
2010-08-19 18:38:12 BreamoreBoy set versions: + Python 3.1, Python 2.7, Python 3.2, - Python 2.6
2009-02-15 20:41:45 ajaksu2 set type: behaviorstage: test neededmessages: + nosy: + ajaksu2versions: + Python 2.6, - Python 2.4
2004-11-29 16:10:35 mwh create