<br><br><div><span class="gmail_quote">On 7/6/06, <b class="gmail_sendername">Michael Chermside</b> <<a href="mailto:mcherm@mcherm.com">mcherm@mcherm.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Armin Rigo writes:<br>> I don't think I can "sign off" [on hiding the file type]. Really hiding<br>> Python objects is quite hard IMHO.</blockquote><div><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I agree. But we don't have to give up yet. How about instead of hiding<br>file, we cripple it. Completely. Modify the file type so that when<br>executing on a sandboxed interpreter, all of the dangerous methods<br>and attributes of file throw exceptions.
</blockquote><div><br>This is basically what I proposed in the first place! <runs around in circles, pulling at his hair like a crazy man><br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Then we create a separate thing (in C) called a "SecureFileWrapper".<br>It has methods that are passed a reference to a file object and<br>can invoke the methods without error. We provide a means for obtaining<br>
a SecureFileWrapper bound to a given file (perhaps open()).</blockquote><div><br>Yeah, it would be through open() if we returned wrappers instead of performing the checks directly in file itself.<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Essentially, we give up on hiding file, which is a frequently-used<br>type, and very hard to hide, and instead we rely on our ability to<br>write a reliably secure "SecureFileWrapper" class (in C).</blockquote><div>
<br> That is another possibility. Should simplify the code as well by having less checks and just have pure PySandbox_IsTrusted() checks in 'file' itself in unsafe places instead of a ton checks that the file being accessed is allowed.
<br><br>-Brett</div></div>