[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited) (original) (raw)
Jon Ribbens jon+python-dev at unequivocal.co.uk
Fri Apr 8 12:47:16 EDT 2016
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Apr 08, 2016 at 05:49:12PM +0200, Marcin KoĆcielnicki wrote:
On 08/04/16 16:18, Jon Ribbens wrote: That one is trivially fixable, but here goes:
async def a(): global c c = b.crframe.fback.fback.fback b = a() b.send(None) c.fbuiltins'print'
Ah, I've not used Python 3.5, and I can't find any documentation on this cr_frame business, but I've added cr_frame and f_back to the disallowed attributes list.
Also, if the point of giving me a subclass of datetime is to prevent access to the actual class, that can be circumvented:
>>> realdatetime = datetime.datetime.mro()[1] >>> realdatetime <class 'datetime.datetime'> But I'm not sure what good that is.
It means you can alter the datetime class that is used by the containing application, which is bad - you could lie to it about what day it is for example ;-)
I've made it so instead of a direct subclass it now makes an intermediate subclass which makes mro() return an empty list.
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]