On Tue, Apr 12, 2016 at 02:31:19PM +0200, Victor Stinner wrote: > Oh, I forgot to mention another vulnerability: you block access to > attributes by replacing getattr and by analyzing the AST. Ok, but one > more time, it's not enough. If you get access to obj.__dict__, you > will likely get access to any attribute using obj_dict[attr] instead > of obj.attr.
That's not a vulnerability, and it's something I already explicitly mentioned - if you can get a function to return an object's __dict__ then you win. The question is: can you do that? _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
