From 362bb5150352603394aacc1d7d0592938962fe92 Mon Sep 17 00:00:00 2001
From: Armin Rigo <arigo@tunes.org>
Date: Wed, 5 Sep 2007 07:51:21 +0000
Subject: PyDict_GetItem() returns a borrowed reference. There are probably a
 number of places that are open to attacks such as the following one, in
 bltinmodule.c:min_max().

---
 Lib/test/crashers/borrowed_ref_3.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 Lib/test/crashers/borrowed_ref_3.py

diff --git a/Lib/test/crashers/borrowed_ref_3.py b/Lib/test/crashers/borrowed_ref_3.py
new file mode 100644
index 0000000..f241108
--- /dev/null
+++ b/Lib/test/crashers/borrowed_ref_3.py
@@ -0,0 +1,14 @@
+"""
+PyDict_GetItem() returns a borrowed reference.
+There are probably a number of places that are open to attacks
+such as the following one, in bltinmodule.c:min_max().
+"""
+
+class KeyFunc(object):
+    def __call__(self, n):
+        del d['key']
+        return 1
+
+
+d = {'key': KeyFunc()}
+min(range(10), **d)
-- 
cgit v0.12