[Python-Dev] Set the namespace free!
Éric Araujo
merwok at netwok.org
Thu Jul 22 21:01:17 CEST 2010
> Using "setattr" to set attributes, where the attribute string
> comes from an external source, can create a security hole. Remember
> that you can override functions on an object, for that object only,
> by setting an attribute. This offers the opportunity for an attack
> similar to SQL injection. Think about what this can do to a parser
> that has and calls a method "display" for each element:
>
> <element display='lambda x : subprocess.Popen("rm -r -f /")'>
>
> You are pwned.
Nope. You’d have to give setattr a function object, not a string.
Regards
More information about the Python-Dev
mailing list