Re: [Zope-dev] RestrictedPython implementation in zope2.

2008-07-14 Thread Stephan Richter
On Thursday 10 July 2008, Martijn Faassen wrote:
 Hopefully we can distribute some hints and tips on this amongst us.

I agree. The most important task is to figure out the changes that have been 
made to the AST. Verifying whether those changes affect RestrictedPython is 
the easier part, since we mainly have to look for attribute and item access 
(as far as I can tell from the RestrictedPython source code.

So does anyone know how we can find out about those changes?

 Being a summer of code student, the student is in there also for the
 learning exercise after all, so perhaps this is an opportunity to
 learn a little about the AST. That said, if Ranjith gets stuck we
 would understand just fine, and just a report by Ranjith on the status
 of his researches for be valuable for whoever comes and tries to fix
 it after him (as this does need to get fixed in some way).

I agree. I overreacted. So what we need is:

* A list of all changes.

* Verify that those changes do not cause a different combination of looking up 
an attribute or item.

* If they do, create a test showing the unsafe lookup and update the code.

Regards,
Stephan
-- 
Stephan Richter
Web Software Design, Development and Training
Google me. Zope Stephan Richter
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] RestrictedPython implementation in zope2.

2008-07-14 Thread Stephan Richter
On Monday 14 July 2008, Stephan Richter wrote:
 * A list of all changes.

All changes to the AST that is.

Regards,
Stephan
-- 
Stephan Richter
Web Software Design, Development and Training
Google me. Zope Stephan Richter
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] RestrictedPython implementation in zope2.

2008-07-14 Thread Stephan Richter
On Monday 14 July 2008, Stephan Richter wrote:
 On Monday 14 July 2008, Stephan Richter wrote:
  * A list of all changes.

 All changes to the AST that is.

No AST API changes have been reported in What's new in Python 2.5.

http://docs.python.org/whatsnew/ports.html

So what else can we do to prove that the AST was not changed?

Regards,
Stephan
-- 
Stephan Richter
Web Software Design, Development and Training
Google me. Zope Stephan Richter
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] RestrictedPython implementation in zope2.

2008-07-10 Thread ranjith kannikara
Hello,

During the porting of zope2 to python2.5 I am in need and guidance on
doing the security auditing of RestrictedPython for python2.5 . Now a
person named Chris Withers had volunteered for helping. And I will be
happy to get guidance and help from Chris Withers.
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] RestrictedPython implementation in zope2.

2008-07-10 Thread Stephan Richter
On Thursday 10 July 2008, ranjith kannikara wrote:
 During the porting of zope2 to python2.5 I am in need and guidance on
 doing the security auditing of RestrictedPython for python2.5 . Now a
 person named Chris Withers had volunteered for helping. And I will be
 happy to get guidance and help from Chris Withers.

Since I am heavily using Python 2.5 and RestrictedPython, I gave zope.proxy a 
good shake. I also looked at the safe builtins declarations and updated them. 
I have not yet reviewed the byte code hacks, which is the most complicated 
aspect. How much experience do you have with the Python AST implementation?

You basically need to find out how the AST changed from Python 2.4 to 2.5 and 
then make sure that every attribute and item access is overwritten with the 
secure lookup version.

Regards,
Stephan
-- 
Stephan Richter
Web Software Design, Development and Training
Google me. Zope Stephan Richter
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] RestrictedPython implementation in zope2.

2008-07-10 Thread Martijn Faassen
Hey Stephan,

It's good to know we have some eyes on this particular topic. Thanks
Stephan! I talked to Chris about this at the EuroPython conference
after Chris started offering free beer and even bottles of champagne
for people who could point out flaws (beer) and submit fixes with
tests (champagne). Unfortunately for everybody now suddenly hopeful
this offer has since expired (nobody took him up on it during
EuroPython :).

Hopefully we can distribute some hints and tips on this amongst us.
Being a summer of code student, the student is in there also for the
learning exercise after all, so perhaps this is an opportunity to
learn a little about the AST. That said, if Ranjith gets stuck we
would understand just fine, and just a report by Ranjith on the status
of his researches for be valuable for whoever comes and tries to fix
it after him (as this does need to get fixed in some way).

Regards,

Martijn
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )