1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
"""
General example for an attack against code like this:
Py_DECREF(obj->attr); obj->attr = ...;
here in Module/_json.c:scanner_init().
Explanation: if the first Py_DECREF() calls either a __del__ or a
weakref callback, it will run while the 'obj' appears to have in
'obj->attr' still the old reference to the object, but not holding
the reference count any more.
Status: progress has been made replacing these cases, but there is an
infinite number of such cases.
"""
import _json, weakref
class Ctx1(object):
encoding = "utf8"
strict = None
object_hook = None
object_pairs_hook = None
parse_float = None
parse_int = None
parse_constant = None
class Foo(unicode):
pass
def delete_me(*args):
print scanner.encoding.__dict__
class Ctx2(Ctx1):
@property
def encoding(self):
global wref
f = Foo("utf8")
f.abc = globals()
wref = weakref.ref(f, delete_me)
return f
scanner = _json.make_scanner(Ctx1())
scanner.__init__(Ctx2())