Re: [Zope-dev] RestrictedPython implementation in zope2.
On Thursday 10 July 2008, Martijn Faassen wrote: Hopefully we can distribute some hints and tips on this amongst us. I agree. The most important task is to figure out the changes that have been made to the AST. Verifying whether those changes affect RestrictedPython is the easier part, since we mainly have to look for attribute and item access (as far as I can tell from the RestrictedPython source code. So does anyone know how we can find out about those changes? Being a summer of code student, the student is in there also for the learning exercise after all, so perhaps this is an opportunity to learn a little about the AST. That said, if Ranjith gets stuck we would understand just fine, and just a report by Ranjith on the status of his researches for be valuable for whoever comes and tries to fix it after him (as this does need to get fixed in some way). I agree. I overreacted. So what we need is: * A list of all changes. * Verify that those changes do not cause a different combination of looking up an attribute or item. * If they do, create a test showing the unsafe lookup and update the code. Regards, Stephan -- Stephan Richter Web Software Design, Development and Training Google me. Zope Stephan Richter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] RestrictedPython implementation in zope2.
On Monday 14 July 2008, Stephan Richter wrote: * A list of all changes. All changes to the AST that is. Regards, Stephan -- Stephan Richter Web Software Design, Development and Training Google me. Zope Stephan Richter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] RestrictedPython implementation in zope2.
On Monday 14 July 2008, Stephan Richter wrote: On Monday 14 July 2008, Stephan Richter wrote: * A list of all changes. All changes to the AST that is. No AST API changes have been reported in What's new in Python 2.5. http://docs.python.org/whatsnew/ports.html So what else can we do to prove that the AST was not changed? Regards, Stephan -- Stephan Richter Web Software Design, Development and Training Google me. Zope Stephan Richter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] RestrictedPython implementation in zope2.
Hello, During the porting of zope2 to python2.5 I am in need and guidance on doing the security auditing of RestrictedPython for python2.5 . Now a person named Chris Withers had volunteered for helping. And I will be happy to get guidance and help from Chris Withers. ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] RestrictedPython implementation in zope2.
On Thursday 10 July 2008, ranjith kannikara wrote: During the porting of zope2 to python2.5 I am in need and guidance on doing the security auditing of RestrictedPython for python2.5 . Now a person named Chris Withers had volunteered for helping. And I will be happy to get guidance and help from Chris Withers. Since I am heavily using Python 2.5 and RestrictedPython, I gave zope.proxy a good shake. I also looked at the safe builtins declarations and updated them. I have not yet reviewed the byte code hacks, which is the most complicated aspect. How much experience do you have with the Python AST implementation? You basically need to find out how the AST changed from Python 2.4 to 2.5 and then make sure that every attribute and item access is overwritten with the secure lookup version. Regards, Stephan -- Stephan Richter Web Software Design, Development and Training Google me. Zope Stephan Richter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] RestrictedPython implementation in zope2.
Hey Stephan, It's good to know we have some eyes on this particular topic. Thanks Stephan! I talked to Chris about this at the EuroPython conference after Chris started offering free beer and even bottles of champagne for people who could point out flaws (beer) and submit fixes with tests (champagne). Unfortunately for everybody now suddenly hopeful this offer has since expired (nobody took him up on it during EuroPython :). Hopefully we can distribute some hints and tips on this amongst us. Being a summer of code student, the student is in there also for the learning exercise after all, so perhaps this is an opportunity to learn a little about the AST. That said, if Ranjith gets stuck we would understand just fine, and just a report by Ranjith on the status of his researches for be valuable for whoever comes and tries to fix it after him (as this does need to get fixed in some way). Regards, Martijn ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )