Mike Meyer wrote: > Xavier Morel <[EMAIL PROTECTED]> writes: [Old message and Xavier's question] [Mike's reply to Xavier] > > > Since Python doesn't have any way to secure the interface built-in, > > i'd be interrested in that. > > Devan apparently doesn't have as cooperative an ISP, and is working on > securing the interpreter. What he's done may be more interesting.
It's not particularily interesting. The C code simply has more attributes restricted in restricted mode, disabling in particular __subclasses__. The rest is creating safe __builtins__ and only giving them some modules (but again, importing is still largely broken, although one liners are still possible). In any case, I don't know how secure it actually is, since nobody seems to go further than import os or import sys. So if you're bored, you can try to break into it. I haven't secured modjelly entirely, and it might be possible to trick modjelly into executing code by using descriptors when it tries to pull out all of the information. Then again, I haven't even added support for properties in it yet. Plus it has no support for if you delete critical attributes which are needed to recreate the object. Still, I think it's good enough to deter any random person from trying to wipe the server for now. -- http://mail.python.org/mailman/listinfo/python-list
