Untrusted code execution
Ian Kelly
ian.g.kelly at gmail.com
Wed Apr 6 13:01:27 EDT 2016
On Wed, Apr 6, 2016 at 10:04 AM, Chris Angelico <rosuav at gmail.com> wrote:
> On Thu, Apr 7, 2016 at 1:41 AM, Ian Kelly <ian.g.kelly at gmail.com> wrote:
>> type might also be a concern since it can be used to assemble
>> arbitrary classes.
>
> Sadly, this means denying the ability to interrogate an object for its
> type. And no, this won't do:
>
> def safe_type(obj): return type(obj)
>
> because all you need is safe_type(safe_type(1)) and you've just
> regained access to the original 'type' type.
How about:
def safe_type(obj):
if isinstance(obj, type):
raise ValueError("'safe_type()' not allowed on type subclasses")
return type(obj)
More information about the Python-list
mailing list