[Python-Dev] XXX - in funcobject.c
Guido van Rossum
guido at python.org
Wed Feb 6 01:03:46 CET 2008
On Feb 5, 2008 4:02 PM, Amaury Forgeot d'Arc <amauryfa at gmail.com> wrote:
> Guido van Rossum wrote:
> > Thanks Amaury! Do you think it would be sufficient to change the
> > PyString_Check() call in PyEval_EvalCodeEx into a
> > PyString_CheckExact() call?
>
> This would prevent this "attack", but would remain fragile - future
> developments could allow execution of python code somewhere.
>
> > Or is the proper fix to incref the values
> > going into the kw array and decref them upon exit?
>
> Yet Another Kind Of Tuple... However this seems the correct thing to do.
Agreed.
> In addition, if we agree to restrict arguments names to str (and
> disallow subclasses), there are easy optimizations in
> PyEval_EvalCodeEx, somewhere around the "XXX slow" comment (!)
Do you think you have time to come up with a patch? If not, can you
file a bug for this so we won't forget?
--
--Guido van Rossum (home page: http://www.python.org/~guido/)
More information about the Python-Dev
mailing list