Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2016-April/143801.html below:

[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

• Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
• Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 08, 2016 at 05:49:12PM +0200, Marcin Kościelnicki wrote:
> On 08/04/16 16:18, Jon Ribbens wrote:
> That one is trivially fixable, but here goes:
> 
> async def a():
>     global c
>     c = b.cr_frame.f_back.f_back.f_back
> 
> b = a()
> b.send(None)
> c.f_builtins['print']('broken')

Ah, I've not used Python 3.5, and I can't find any documentation on
this cr_frame business, but I've added cr_frame and f_back to the
disallowed attributes list.

> Also, if the point of giving me a subclass of datetime is to prevent access
> to the actual class, that can be circumvented:
> 
> >>> real_datetime = datetime.datetime.mro()[1]
> >>> real_datetime
> <class 'datetime.datetime'>
> 
> But I'm not sure what good that is.

It means you can alter the datetime class that is used by the
containing application, which is bad - you could lie to it about
what day it is for example ;-)

I've made it so instead of a direct subclass it now makes an
intermediate subclass which makes mro() return an empty list.

• Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
• Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4