[Python-bugs-list] [ python-Bugs-533625 ] rexec: potential security hole
noreply@sourceforge.net
noreply@sourceforge.net
Fri, 22 Mar 2002 09:35:08 -0800
Bugs item #533625, was opened at 2002-03-22 16:29
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=533625&group_id=5470
Category: Python Library
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Armin Rigo (arigo)
Assigned to: Nobody/Anonymous (nobody)
Summary: rexec: potential security hole
Initial Comment:
The documentation of the restricted execution module,
rexec, should make it clear that it is dangerous to
allow the restricted code write into a directory that
is included in sys.path. Indeed, I suspect that is it
common to allow restricted code to write in the
current directory (e.g. after a chdir() to a directory
that contains only the files we want the restricted
code to work on). But '' is in sys.path by default.
Attached is a script that uses this to perform the
equivalent of an unmarshal of a code object (which is
forbidden in restricted mode -- although it is clear
to me why, it might not be obvious to someone not used
to Python's internals and should be mentionned
somewhere). The attached script writes and then import
a .pyc file that defines a function whose bogus code
(at least on 32-bit Unix machines with Python 2.2-2.3)
returns the frame of the caller. This lets the
restricted code access the original builtins.
----------------------------------------------------------------------
>Comment By: Martin v. Löwis (loewis)
Date: 2002-03-22 18:35
Message:
Logged In: YES
user_id=21627
Isn't that a bug in LOAD_FAST?
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=533625&group_id=5470