Metaclasses with metaclasses with a __dict__ descriptor can no longer trigger code execution with inspect.getattr_static.

Closes issue 11829.

Lib/inspect.py

@@ -1161,10 +1161,11 @@ def getattr_static(obj, attr, default=_sentinel):
     if obj is klass:
         # for types we check the metaclass too
         for entry in _static_getmro(type(klass)):
-            try:
+            if _shadowed_dict(type(entry)) is _sentinel:
-                return entry.__dict__[attr]
+                try:
-            except KeyError:
+                    return entry.__dict__[attr]
-                pass
+                except KeyError:
+                    pass
     if default is not _sentinel:
         return default
     raise AttributeError(attr)

Lib/test/test_inspect.py

@@ -1088,6 +1088,23 @@ def test_module(self):
         self.assertIsNot(inspect.getattr_static(sys, "version", sentinel),
                          sentinel)
 
+    def test_metaclass_with_metaclass_with_dict_as_property(self):
+        class MetaMeta(type):
+            @property
+            def __dict__(self):
+                self.executed = True
+                return dict(spam=42)
+
+        class Meta(type, metaclass=MetaMeta):
+            executed = False
+
+        class Thing(metaclass=Meta):
+            pass
+
+        with self.assertRaises(AttributeError):
+            inspect.getattr_static(Thing, "spam")
+        self.assertFalse(Thing.executed)
+
 class TestGetGeneratorState(unittest.TestCase):
 
     def setUp(self):

Misc/NEWS

@@ -97,6 +97,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #11829: Fix code execution holes in inspect.getattr_static for
+  metaclasses with metaclasses. Patch by Andreas Stührk.
+
 - Issue #1785: Fix inspect and pydoc with misbehaving descriptors.
 
 - Issue #11813: Fix inspect.getattr_static for modules. Patch by Andreas