En Wed, 11 Apr 2007 19:26:27 -0300, Erik Johnson <[EMAIL PROTECTED]> escribió:
> The documentation for these two modules says that they were disabled > in > Python 2.3 due to security holes not easily fixable. I have not worked > with > them, but I can still import them under Python 2.4, so I'm not clear on > whether the security problems were fixed in Python itself, or whether the > modules remain deprecated (disabled?)? How are/were they actually > disabled? > Any place that documents what the problems are? Any alternatives? They were unsecure in 2003, and still are. This example still works (you have to re-enable Bastion.py and rexec.py to test, removing the explicit RuntimeError raise) http://mail.python.org/pipermail/python-dev/2003-January/031851.html With new-style classes you can create new instances using type(), by example; this way you can bypass the read-only restriction on files. The language has grown plenty of new attributes, they're very handy, but provide a lot of security holes; like __subclasses__ by example. As far as I know, Python can't secure itself by now. I think you have to go outside Python, using a chroot jail by example. -- Gabriel Genellina -- http://mail.python.org/mailman/listinfo/python-list
