[Python-3000] Addition to PEP 3101 (original) (raw)

Talin talin at acm.org
Tue May 1 05:06:06 CEST 2007

Greg Ewing wrote:

Patrick Maupin wrote:

Method calls are deliberately disallowed by the PEP, so that the implementation has some hope of being securable. If attribute access is allowed, arbitrary code can already be triggered, so I don't see how this makes a difference to security.

Not quite. It depends on what you mean by 'arbitrary code'.

Let's take a hypothetical example: Suppose I have a format string which I downloaded from the nefarious "evil.org" web site which I suspect may contain "evil" formatting fields.

Now, I'd like to be able to use this format string, but I want to be able to contain the damage that it can do. For example, if I pass a list of integers as the format parameters, there is little harm that can be done. Even if my evil string contains things like "{0.class.module}" - in other words, even if it spiders through the base class list and the MRO list and everything else, there's little damage it can do, because it can't call any functions.

Now, lets suppose that somewhere in the set of objects that are transitively reachable from those parameter values, there's an object which has an attribute such that accessing that attribute deletes my hard drive or has some other bad effect. Obviously this would be bad. Bad because my hard drive was deleted, sure, but even worse because I'm an idiot for writing such a stupid class in the first place.

I know that's a bit over the top, but what I mean to say is that in the normal course of events, one can assume that attribute accesses are either stateless, or should at least seem to be stateless from the outside. It's considered bad form to go around writing classes where the mere access of an attribute has some potentially deleterious effect. Anyone who writes a class like that deserves to have their hard drive deleted IMHO.

So the judgment was made that it's relatively safe to access attributes (even if they can be overloaded), whereas allowing method invocations is much less safe.

So yes, theoretically attribute access can indeed run arbitrary code. But not in a world with mostly sane people in it.

-- Talin

More information about the Python-3000 mailing list