[Python-3000] Addition to PEP 3101

Talin talin at acm.org
Tue May 1 05:06:06 CEST 2007 

Greg Ewing wrote:
> Patrick Maupin wrote:
> 
>> Method calls are deliberately disallowed by the PEP, so that the
>> implementation has some hope of being securable.
> 
> If attribute access is allowed, arbitrary code can already
> be triggered, so I don't see how this makes a difference
> to security.

Not quite. It depends on what you mean by 'arbitrary code'.

Let's take a hypothetical example: Suppose I have a format string which 
I downloaded from the nefarious "evil.org" web site which I suspect may 
contain "evil" formatting fields.

Now, I'd like to be able to use this format string, but I want to be 
able to contain the damage that it can do. For example, if I pass a list 
of integers as the format parameters, there is little harm that can be 
done. Even if my evil string contains things like 
"{0.__class__.__module__}" - in other words, even if it spiders through 
the base class list and the MRO list and everything else, there's little 
  damage it can do, because it can't call any functions.

Now, lets suppose that somewhere in the set of objects that are 
transitively reachable from those parameter values, there's an object 
which has an attribute such that accessing that attribute deletes my 
hard drive or has some other bad effect. Obviously this would be bad. 
Bad because my hard drive was deleted, sure, but even worse because I'm 
an idiot for writing such a stupid class in the first place.

I know that's a bit over the top, but what I mean to say is that in the 
normal course of events, one can assume that attribute accesses are 
either stateless, or should at least *seem* to be stateless from the 
outside. It's considered bad form to go around writing classes where the 
mere access of an attribute has some potentially deleterious effect. 
Anyone who writes a class like that deserves to have their hard drive 
deleted IMHO.

So the judgment was made that it's relatively safe to access attributes 
(even if they can be overloaded), whereas allowing method invocations is 
much less safe.

So yes, theoretically attribute access can indeed run arbitrary code. 
But not in a world with mostly sane people in it.

-- Talin

More information about the Python-3000 mailing list