On Tue, 12 Apr 2016, Jon Ribbens wrote:
This is still a massive game of whack-a-mole.
No, it still isn't. If the names blacklist had to keep being extended
then you would be right, but that hasn't happened so far. Whitelists
by definition contain only a small, limited number of potential moles.
The only thing you found above that even remotely approaches an
exploit is the decimal.getcontext() thing, and even that I don't
think you could use to do any code execution.
"I don't think"?
Where's the formal proof?
Without a proof, this is indeed just a game of whack-a-mole.
I don't "think" Python is a suitable foundation for a sandboxing system
intended for security purposes, but my "think" won't lead to security
holes whereas yours will. So, I would respectfully suggest that unless
you increase the rigour of your effort substantially, it is not
worthwhile. Python is great for lots of applications already - there is
no need to force it into unsuitable problem domains.
Isaac Morland CSCF Web Guru
DC 2619, x36650 WWW Software Specialist
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
