1""" 2General example for an attack against code like this: 3 4 Py_DECREF(obj->attr); obj->attr = ...; 5 6here in Module/_json.c:scanner_init(). 7 8Explanation: if the first Py_DECREF() calls either a __del__ or a 9weakref callback, it will run while the 'obj' appears to have in 10'obj->attr' still the old reference to the object, but not holding 11the reference count any more. 12 13Status: progress has been made replacing these cases, but there is an 14infinite number of such cases. 15""" 16 17import _json, weakref 18 19class Ctx1(object): 20 encoding = "utf8" 21 strict = None 22 object_hook = None 23 object_pairs_hook = None 24 parse_float = None 25 parse_int = None 26 parse_constant = None 27 28class Foo(unicode): 29 pass 30 31def delete_me(*args): 32 print scanner.encoding.__dict__ 33 34class Ctx2(Ctx1): 35 @property 36 def encoding(self): 37 global wref 38 f = Foo("utf8") 39 f.abc = globals() 40 wref = weakref.ref(f, delete_me) 41 return f 42 43scanner = _json.make_scanner(Ctx1()) 44scanner.__init__(Ctx2()) 45