Christian, Rami and Steven, thank you all for your help. It wasn't
meant to be a challenge, I knew it ought to be easily breakable. I'm
no hacker and it just helps to have some examples to better understand
the issue.
On Aug 20, 7:42 pm, Steven D'Aprano On a related topic, you should read this po
On Thu, 20 Aug 2009 08:16:51 -0700, Emanuele D'Arrigo wrote:
> In what ways would the untrusted string be able to obtain the original,
> built-in open function and open a file for writing?
On a related topic, you should read this post here:
http://tav.espians.com/a-challenge-to-break-python-secu
On Thu, 20 Aug 2009 08:16:51 -0700, Emanuele D'Arrigo wrote:
> Fair enough. In this context, let's say I do this:
>
> import __builtin__
> import imp
> originalBuiltins = imp.new_module("OriginalBuiltins")
>
> def readOnlyOpen(filename):
> return originalBuiltins.open(filename, "r")
>
> __b
They could, of course, use the file object constructor directly, e.g.:
f = file("/etc/passwd", "w")
On Thu, 20 Aug 2009 08:16:51 -0700, Emanuele D'Arrigo
wrote:
Sorry for digging this back from the grave.
I've had to chew on it for a little while.
On Aug 8, 1:40 am, Nobody wrote:
Emanuele D'Arrigo write:
In what ways would the untrusted string be able to obtain the
original, built-in open function and open a file for writing?
Yes, if you know some tricks:
[cls for cls in object.__subclasses__() if cls.__name__ == 'file'][0]
Christian
--
http://mail.python.org/mail
Sorry for digging this back from the grave.
I've had to chew on it for a little while.
On Aug 8, 1:40 am, Nobody wrote:
> If you want to support restricted execution within a language, it
> has to be built into the language from day one. Trying to bolt it > on later
> is a fool's errand.
Fair e
On Fri, 07 Aug 2009 08:15:08 -0700, Emanuele D'Arrigo wrote:
> Are
> there best practices to at least minimize some of the risks associated
> with untrusted code execution?
Yes: don't execute it. Failing that, run the Python interpreter within a
sandbox.
If you want to support restricted executi
Greetings everybody,
I've been reading and mulling about python and security, specifically
in terms of executing code that may or may not be trustworthy. I
understand that libraries such as Rexec and Bastion are now deprecated
because they have known vulnerabilities that may be exploited to
circum