<br><br><div class="gmail_quote">On Mon, Feb 23, 2009 at 12:10, tav <span dir="ltr"><<a href="mailto:tav@espians.com">tav@espians.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hey all,<br>
<br>
As an attempt to convince everyone of the merits of my functions-based<br>
approach to security, I've come up with a simple challenge. I've<br>
attached it as safelite.py<br>
<br>
The challenge is simple:<br>
<br>
* Open a fresh Python interpreter<br>
* Do: >>> from safelite import FileReader<br>
* You can use FileReader to read files on your filesystem<br>
* Now find a way to *write* to the filesystem from your interpreter<br>
<br>
Please note that the aim of this isn't to protect Python against<br>
crashes/segfaults or exhaustion of resources attacks, so those don't<br>
count.<br>
<br>
I'm keen to know your experiences even if you don't manage to write to<br>
the filesystem -- and especially if you do!<br>
<br>
Dinner and drinks on me for an evening -- when you are next in London<br>
or I am in your town -- to the first person who manages to break<br>
safelite.py and write to the filesystem.<br>
<br>
Good luck and thanks! =)<br>
<br>
> If you block __closure__ and __globals__ on function objects you will get a<br>
> semblance of a private namespace. That way you might (I have not thought<br>
> this one through like securing the interpreter for embedding) be able to get<br>
> what you need to safely pass in Python code through the globals of the code<br>
> being executed.<br>
<br>
Brett, this is exactly what I do.</blockquote><div><br>Ah, OK. I just quickly looked at your patches on codereview and noticed that neither __closure__ or __globals__ have been touched.<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
You also need to restrict func_code.</blockquote><div><br>I assume you are worried about getting a hold of the code type and constructing code objects from scratch?<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
The patch is simply for closing the other loopholes:<br>
type.__subclasses__, GeneratorType.gi_frame and gi_code. All possible<br>
in a patch of 6 lines of code thanks to Python's existing restricted<br>
framework in the interpreter.<br>
<br>
Please review and accept =)<br>
</blockquote><div><br>I personally don't have the time. The feedback in this email is all I can spare.<br><br>-Brett<br></div></div><br>