diff --git a/CHANGES.rst b/CHANGES.rst index 3b6e446..a251725 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -9,7 +9,8 @@ Changes - Allow to use the package with Python 3.13 -- Caution: No security audit has been done so far. - Add support for single mode statements / execution. -- Fix a potential breakout capability in the provided safer_getattr method that is part of the safer_builtins +- Fix a potential breakout capability in the provided ``safer_getattr`` method + that is part of the ``safer_builtins``. 7.1 (2024-03-14) diff --git a/src/RestrictedPython/Guards.py b/src/RestrictedPython/Guards.py index ab63785..6dee42e 100644 --- a/src/RestrictedPython/Guards.py +++ b/src/RestrictedPython/Guards.py @@ -246,8 +246,8 @@ def safer_getattr(object, name, default=None, getattr=getattr): http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/ """ - if not (isinstance(name, str) and type(name) is str): - raise TypeError('name is not of type str') + if type(name) is not str: + raise TypeError('type(name) must be str') if name in ('format', 'format_map') and ( isinstance(object, str) or (isinstance(object, type) and issubclass(object, str))): diff --git a/tests/test_Guards.py b/tests/test_Guards.py index 068a304..cc49f85 100644 --- a/tests/test_Guards.py +++ b/tests/test_Guards.py @@ -292,7 +292,7 @@ def test_Guards__safer_getattr__4(): with pytest.raises(TypeError) as err: restricted_exec(SAFER_GETATTR_BREAKOUT, restricted_globals) - assert 'name is not of type str' == str(err.value) + assert 'type(name) must be str' == str(err.value) def test_call_py3_builtins():