[Python-3000] Addition to PEP 3101
Talin
talin at acm.org
Tue May 1 05:06:06 CEST 2007
Greg Ewing wrote:
> Patrick Maupin wrote:
>
>> Method calls are deliberately disallowed by the PEP, so that the
>> implementation has some hope of being securable.
>
> If attribute access is allowed, arbitrary code can already
> be triggered, so I don't see how this makes a difference
> to security.
Not quite. It depends on what you mean by 'arbitrary code'.
Let's take a hypothetical example: Suppose I have a format string which
I downloaded from the nefarious "evil.org" web site which I suspect may
contain "evil" formatting fields.
Now, I'd like to be able to use this format string, but I want to be
able to contain the damage that it can do. For example, if I pass a list
of integers as the format parameters, there is little harm that can be
done. Even if my evil string contains things like
"{0.__class__.__module__}" - in other words, even if it spiders through
the base class list and the MRO list and everything else, there's little
damage it can do, because it can't call any functions.
Now, lets suppose that somewhere in the set of objects that are
transitively reachable from those parameter values, there's an object
which has an attribute such that accessing that attribute deletes my
hard drive or has some other bad effect. Obviously this would be bad.
Bad because my hard drive was deleted, sure, but even worse because I'm
an idiot for writing such a stupid class in the first place.
I know that's a bit over the top, but what I mean to say is that in the
normal course of events, one can assume that attribute accesses are
either stateless, or should at least *seem* to be stateless from the
outside. It's considered bad form to go around writing classes where the
mere access of an attribute has some potentially deleterious effect.
Anyone who writes a class like that deserves to have their hard drive
deleted IMHO.
So the judgment was made that it's relatively safe to access attributes
(even if they can be overloaded), whereas allowing method invocations is
much less safe.
So yes, theoretically attribute access can indeed run arbitrary code.
But not in a world with mostly sane people in it.
-- Talin
More information about the Python-3000
mailing list