-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
private "special" methods can be (indirectly) accessed by untrusted code #98
Comments
Trying to construct examples for a practical security preach I found hints that the problem might have limited practical importance. I concentrated my research on This means that a security preach could involve an object maintaining sensitive information accessed via "special" methods (e.g. "keys", "getitem", "iter") which essentially only use (potentially recursively) "simple" types/containers. A constructed example could be a class providing a mapping interface to a user base where each user is described by a |
The code below constructs a class
Protected
with privatekeys
and__getitem__
methods and shows how to call these methods indirectly from untrusted code:The same likely applies to many "special" methods called implicitly by Python (such as
__bool__
,__index__
,__iter__
, ...) or methods of Python types. The example above usesdict.update
; similar unprotected access is likely possible withlist.extend
(using__iter__
without protection).The text was updated successfully, but these errors were encountered: