[Python-Dev] Set the namespace free! (original) (raw)

Éric Araujo eric at netwok.org
Thu Jul 22 20:59:08 CEST 2010

• Previous message: [Python-Dev] Set the namespace free!
• Next message: [Python-Dev] Set the namespace free!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Using "setattr" to set attributes, where the attribute string comes from an external source, can create a security hole. Remember that you can override functions on an object, for that object only, by setting an attribute. This offers the opportunity for an attack similar to SQL injection. Think about what this can do to a parser that has and calls a method "display" for each element:

You are pwned.

Nope. You’d have to give setattr a function object, not a string.

Regards

• Previous message: [Python-Dev] Set the namespace free!
• Next message: [Python-Dev] Set the namespace free!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list