[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

Jon Ribbens jon+python-dev at unequivocal.co.uk
Fri Apr 8 12:47:16 EDT 2016

On Fri, Apr 08, 2016 at 05:49:12PM +0200, Marcin Kościelnicki wrote:
> On 08/04/16 16:18, Jon Ribbens wrote:
> That one is trivially fixable, but here goes:
> async def a():
>     global c
>     c = b.cr_frame.f_back.f_back.f_back
> b = a()
> b.send(None)
> c.f_builtins['print']('broken')

Ah, I've not used Python 3.5, and I can't find any documentation on
this cr_frame business, but I've added cr_frame and f_back to the
disallowed attributes list.

> Also, if the point of giving me a subclass of datetime is to prevent access
> to the actual class, that can be circumvented:
> >>> real_datetime = datetime.datetime.mro()[1]
> >>> real_datetime
> <class 'datetime.datetime'>
> But I'm not sure what good that is.

It means you can alter the datetime class that is used by the
containing application, which is bad - you could lie to it about
what day it is for example ;-)

I've made it so instead of a direct subclass it now makes an
intermediate subclass which makes mro() return an empty list.

More information about the Python-Dev mailing list