> Using "setattr" to set attributes, where the attribute string
> comes from an external source, can create a security hole. Remember
> that you can override functions on an object, for that object only,
> by setting an attribute. This offers the opportunity for an attack
> similar to SQL injection. Think about what this can do to a parser
> that has and calls a method "display" for each element:
>
> <element display='lambda x : subprocess.Popen("rm -r -f /")'>
>
> You are pwned.
Nope. You’d have to give setattr a function object, not a string.
Regards
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4