[Idle-dev] RE: idle-fork odds and ends

[StephenM.Gava]

> > > Understood.  I'll probably give my changes (which are just
> >  > three new
> > > files pluss diffs to a fourth) to Stephen for
> > > consolidation.  I think
> > > the main change that needs to be made to make it safer is that the
> > > parent process (IDLE) should listen for a connection and the
> > > subprocess that executes the commands should connect to the
> > > parent. It
> > > is currently the other way around, which is unsafe.
> > > Additional safety
> > > measures should also be taken, but I believe this reversal
> > > of roles is essential.
> >
> > David, if you have even the teeniest amount of time
> > available, or could
> > recommend someone who's up on the topic  this is one of the
> > things I would  appreciate some help on. 
> > (Any other volunteers for this?)
>
> I have enough time to answer questions, at least.  I haven't seen
> Guido's source, so I can't comment on it.  I can tell you the following
> about the code currently in idle-fork:
>
> (1) My implementation of "remote process execution" already works the
> way Guido wants: IDLE listens for a connection, then spawns a subprocess
> which connects back to IDLE.  This makes it unlikely that an attacker
> will be able to connect to the subprocess, although they may be able to
> connect to IDLE.  However, my implementation probably isn't secure,
> because:
>
> (2) My implementation uses a simple RPC protocol implemented in
> protocol.py for communication in both directions.  I took this approach
> over simple I/O redirection because I imagined that eventually debugging
> functionality would be desired, and RPC would make implementing that
> vastly easier.  Since the subprocess can make RPC calls into IDLE,
> making IDLE the server doesn't really help.
>
> (3) It seems to me that making the connection between IDLE and its
> subprocess in a secure way is a much better solution than trying to make
> the protocol itself secure.  I think this is normally done by creating
> both the client and server ends of the connection in IDLE, and passing
> one end to the subprocess during its creation.  However, I'm not sure
> that can be done in a cross-platform way.

I see,  thanks for this info. I've just started pouring over the full IDLE 
source, trying to build an overview of where everything fits.

> Let me know what else you want to know.

Will do. I'm still thinking that this is an area where, once changes have 
been merged and Guido has decided what he's doing with his code for this, 
I'll be looking for someone who wants to work on perfecting this as a 
priority. It's obviously a crucial improvement in IDLE, but not one I'd like 
to be doing the coding for myself, among the other things I'm hoping to take 
on,  if I can possibly avoid it. (But if I can't s'ok, I'l just put some 
other things on hold.)

-- 
Stephen M. Gava
<elguavas@users.sourceforge.net>
"More power to those who don't care for it." - anon