Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-104265 Disallow instantiation of _csv.Reader and _csv.Writer #104266

Conversation

chgnrdv
Copy link
Contributor

@chgnrdv chgnrdv commented May 7, 2023

Fixes #104265

Set Py_TPFLAGS_DISALLOW_INSTANTIATION and unset Py_TPFLAGS_BASETYPE flags on Reader and Writer types to prevent their instantiation and subtyping

…r` types

Set `Py_TPFLAGS_DISALLOW_INSTANTIATION` and unset `Py_TPFLAGS_BASETYPE` flags on `Reader` and `Writer` types to prevent their instantiation and subtyping
@chgnrdv chgnrdv changed the title Disallow instantiation and subtyping of _csv.Reader and _csv.Writer gh-104265 Disallow instantiation and subtyping of _csv.Reader and _csv.Writer May 7, 2023
@corona10 corona10 requested a review from erlend-aasland May 7, 2023 13:34
@erlend-aasland
Copy link
Contributor

Thanks! This needs a NEWS entry, preferrably with a reference to when the bug was introduced. I think this should be backported through to 3.10.

@erlend-aasland
Copy link
Contributor

Also, please add tests. There's a dedicated test.support helper for this. Grep through the code base to find it and see how it's used.

@chgnrdv
Copy link
Contributor Author

chgnrdv commented May 7, 2023

@erlend-aasland, are you talking about assert_python_ok? Can't we just check if TypeError with proper message is raised on attempt to create instance/subtype?

@erlend-aasland
Copy link
Contributor

There's a disallow_instantiation helper in test.support.

@erlend-aasland erlend-aasland added the needs backport to 3.11 only security fixes label May 7, 2023
@erlend-aasland
Copy link
Contributor

Thanks! This needs a NEWS entry, preferrably with a reference to when the bug was introduced. I think this should be backported through to 3.10.

Ah, 3.10 is in security fix mode, so we can only backport to 3.11.

@erlend-aasland
Copy link
Contributor

Some history, the original issue for applying PEP-384 to the _csv extension module:

A later (duplicate issue); the linked PRs were closed and incorporated into gh-23224

As you can see, both the Writer and the Reader class had Py_TPFLAGS_BASETYPE when they were converted from static to heap types. Removing that flag is a backwards incompatible change, as third-party software may depend on that behaviour. Please revert that particular change.

@erlend-aasland erlend-aasland changed the title gh-104265 Disallow instantiation and subtyping of _csv.Reader and _csv.Writer gh-104265 Disallow instantiation of _csv.Reader and _csv.Writer May 7, 2023
Copy link
Contributor

@erlend-aasland erlend-aasland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested:

  • Revert Py_TPFLAGS_BASETYPE changes
  • Add NEWS entry

@bedevere-bot
Copy link

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@chgnrdv
Copy link
Contributor Author

chgnrdv commented May 7, 2023

Looks like 6a02b38 from #23224 introduced this issue. How can I reflect this in NEWS entry text? Should I specify an issue number?

@erlend-aasland
Copy link
Contributor

Looks like 6a02b38 from #23224 introduced this issue. How can I reflect this in NEWS entry text? Should I specify an issue number?

Indeed it did.

You can reference GitHub issues/PRs with the :gh: Sphinx directive. Here's a suggestion to a NEWS entry:

Prevent possible crash by disallow instantiation of the :class:`!_csv.Reader`
and :class:`!_csv.Writer` types. The regression was introduced by :gh:`23224`
in Python 3.10. Patch by <your-name-here>.

@chgnrdv chgnrdv requested a review from erlend-aasland May 7, 2023 16:49
@chgnrdv
Copy link
Contributor Author

chgnrdv commented May 7, 2023

I have made the requested changes; please review again

@bedevere-bot
Copy link

Thanks for making the requested changes!

@erlend-aasland: please review the changes made to this pull request.

Lib/test/test_csv.py Outdated Show resolved Hide resolved
chgnrdv added 2 commits May 7, 2023 23:49
…ub.com:chgnrdv/cpython into _csv-make-Reader-Writer-types-non-instantiable
@erlend-aasland
Copy link
Contributor

Thank you so much for the report and bugfix, Radislav; good job!

@erlend-aasland erlend-aasland merged commit 06c2a48 into python:main May 7, 2023
@miss-islington
Copy link
Contributor

Thanks @chgnrdv for the PR, and @erlend-aasland for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

@bedevere-bot
Copy link

GH-104278 is a backport of this pull request to the 3.11 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.11 only security fixes label May 7, 2023
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request May 7, 2023
@chgnrdv
Copy link
Contributor Author

chgnrdv commented May 7, 2023

@erlend-aasland, thank you for your patient review :)

kumaraditya303 pushed a commit that referenced this pull request May 8, 2023
…iter` (GH-104266) (#104278)

gh-104265 Disallow instantiation of `_csv.Reader` and `_csv.Writer` (GH-104266)
(cherry picked from commit 06c2a48)

Co-authored-by: chgnrdv <[email protected]>
jbower-fb pushed a commit to jbower-fb/cpython-jbowerfb that referenced this pull request May 8, 2023
carljm added a commit to carljm/cpython that referenced this pull request May 9, 2023
* main: (47 commits)
  pythongh-97696 Remove unnecessary check for eager_start kwarg (python#104188)
  pythonGH-104308: socket.getnameinfo should release the GIL (python#104307)
  pythongh-104310: Add importlib.util.allowing_all_extensions() (pythongh-104311)
  pythongh-99113: A Per-Interpreter GIL! (pythongh-104210)
  pythonGH-104284: Fix documentation gettext build (python#104296)
  pythongh-89550: Buffer GzipFile.write to reduce execution time by ~15% (python#101251)
  pythongh-104223: Fix issues with inheriting from buffer classes (python#104227)
  pythongh-99108: fix typo in Modules/Setup (python#104293)
  pythonGH-104145: Use fully-qualified cross reference types for the bisect module (python#104172)
  pythongh-103193: Improve `getattr_static` test coverage (python#104286)
  Trim trailing whitespace and test on CI (python#104275)
  pythongh-102500: Remove mention of bytes shorthand (python#104281)
  pythongh-97696: Improve and fix documentation for asyncio eager tasks (python#104256)
  pythongh-99108: Replace SHA3 implementation HACL* version (python#103597)
  pythongh-104273: Remove redundant len() calls in argparse function (python#104274)
  pythongh-64660: Don't hardcode Argument Clinic return converter result variable name (python#104200)
  pythongh-104265 Disallow instantiation of `_csv.Reader` and `_csv.Writer` (python#104266)
  pythonGH-102613: Improve performance of `pathlib.Path.rglob()` (pythonGH-104244)
  pythongh-103650: Fix perf maps address format (python#103651)
  pythonGH-89812: Churn `pathlib.Path` methods (pythonGH-104243)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

_csv Reader and Writer types shouldn't be directly instantiable
4 participants