[Python-Dev] XXX - in funcobject.c
Amaury Forgeot d'Arc
amauryfa at gmail.com
Wed Feb 6 01:02:22 CET 2008
Guido van Rossum wrote:
> Thanks Amaury! Do you think it would be sufficient to change the
> PyString_Check() call in PyEval_EvalCodeEx into a
> PyString_CheckExact() call?
This would prevent this "attack", but would remain fragile - future
developments could allow execution of python code somewhere.
> Or is the proper fix to incref the values
> going into the kw array and decref them upon exit?
Yet Another Kind Of Tuple... However this seems the correct thing to do.
In addition, if we agree to restrict arguments names to str (and
disallow subclasses), there are easy optimizations in
PyEval_EvalCodeEx, somewhere around the "XXX slow" comment (!)
--
Amaury Forgeot d'Arc
More information about the Python-Dev
mailing list