[issue41180] marshal load bypass code.__new__ audit event
Change by Yunfan Zhan : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker <https://bugs.python.org/issue41180> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41180] marshal load bypass code.__new__ audit event
New submission from Yunfan Zhan : While `code.__new__` is being audited, using `marshal.loads` to create a code object will trigger no events. Therefore, either `marshal.load(s)` event itself should be audited, or `code.__new__` should be triggered when marshal type is TYPE_CODE. Considering that importing from a pyc file also relys on unmarshalling code objects, and they have already been audited as `import`, I'm also wondering if auditing twice should be avoided for performance. -- messages: 372733 nosy: steve.dower, tkmk priority: normal severity: normal status: open title: marshal load bypass code.__new__ audit event type: security versions: Python 3.10, Python 3.8, Python 3.9 ___ Python tracker <https://bugs.python.org/issue41180> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41180] marshal load bypass code.__new__ audit event
Change by Yunfan Zhan : -- keywords: +patch pull_requests: +20421 stage: -> patch review pull_request: https://github.com/python/cpython/pull/21271 ___ Python tracker <https://bugs.python.org/issue41180> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41180] marshal load bypass code.__new__ audit event
Yunfan Zhan added the comment: Before this, we only audit code.__new__ and code.replace, as these methods allow constructing arbitrary code objects, and we don't audit code object coming from the normal way (like compile,exec,eval). If the event is raised in PyCode_NewWithPosOnlyArgs, is it ok that the compiled code is also audited? -- ___ Python tracker <https://bugs.python.org/issue41180> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
