On Thu, Jul 16, 2020 at 11:13 AM Random832 email@example.com wrote:
On Wed, Jul 15, 2020, at 08:14, Chris Angelico wrote:
That's fair, but are you actually guaranteeing that it will never read arbitrary attributes from objects?
First of all, reading an attribute of an object in a pickle requires the getattr function. Even currently, you can substitute your own function for getattr in find_class, and with my proposal you wouldn't have to because you could control attempts to evaluate even the real getattr function.
Are you sure of that? I don't have any examples to hand, but are you able to pickle something identified as pkg.module.cls(x)?
Second of all, with no way to exfiltrate, why is reading arbitrary attributes from objects problematic?
Because the moment you can read arbitrary attributes from arbitrary objects, Python becomes impossible to sandbox.