Impact
A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module.
Patches
The problem will be fixed in version 7.3.
Workarounds
If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.
Quasar0147 Reporter
dronex7070 Reporter
d-maurer Remediation developer
dataflake Remediation verifier
icemac Coordinator
Impact
A user can gain access to protected (and potentially sensible) information indirectly via
AttributeError.objand thestringmodule.Patches
The problem will be fixed in version 7.3.
Workarounds
If the application does not require access to the module
string, it can remove it fromRestrictedPython.Utilities.utility_builtinsor otherwise do not make it available in the restricted execution environment.