1 """ 2 General example for an attack against code like this: 3 4 Py_DECREF(obj->attr); obj->attr = ...; 5 6 here in Module/_json.c:scanner_init(). 7 8 Explanation: if the first Py_DECREF() calls either a __del__ or a 9 weakref callback, it will run while the 'obj' appears to have in 10 'obj->attr' still the old reference to the object, but not holding 11 the reference count any more. 12 13 Status: progress has been made replacing these cases, but there is an 14 infinite number of such cases. 15 """ 16 17 import _json, weakref 18 19 class Ctx1(object): 20 encoding = "utf8" 21 strict = None 22 object_hook = None 23 object_pairs_hook = None 24 parse_float = None 25 parse_int = None 26 parse_constant = None 27 28 class Foo(unicode): 29 pass 30 31 def delete_me(*args): 32 print scanner.encoding.__dict__ 33 34 class Ctx2(Ctx1): 35 @property 36 def encoding(self): 37 global wref 38 f = Foo("utf8") 39 f.abc = globals() 40 wref = weakref.ref(f, delete_me) 41 return f 42 43 scanner = _json.make_scanner(Ctx1()) 44 scanner.__init__(Ctx2()) 45
