[Python-checkins] r50479 - python/branches/bcannon-sandboxing/sandboxing_design_doc.txt

brett.cannon python-checkins at python.org
Fri Jul 7 20:16:23 CEST 2006 

Author: brett.cannon
Date: Fri Jul  7 20:16:23 2006
New Revision: 50479

Modified:
   python/branches/bcannon-sandboxing/sandboxing_design_doc.txt
Log:
Clarify protection of 'print', input(), and raw_input().


Modified: python/branches/bcannon-sandboxing/sandboxing_design_doc.txt
==============================================================================
--- python/branches/bcannon-sandboxing/sandboxing_design_doc.txt	(original)
+++ python/branches/bcannon-sandboxing/sandboxing_design_doc.txt	Fri Jul  7 20:16:23 2006
@@ -33,7 +33,7 @@
 * helper functions to get at StringIO instances for stdin, stdout, and friends?
 * decide on what type of objects (e.g., PyStringObject or const char *) are to
   be passed into PySandbox_*Extended*() functions
-
+* all built-ins properly protected?
 
 Goal
 =============================
@@ -345,8 +345,7 @@
 Threat Model
 ///////////////////////////////////////
 
-Below is a list of what the security implementation
-should allow/prevent or assumes, along with what section of this document that addresses
+Below is a list of what the security implementation assumes, along with what section of this document that addresses
 that part of the security model (if not already true in Python by default).
 The term "bare" when in terms
 of an interpreter means an interpreter that has not performed a single import
@@ -375,7 +374,7 @@
 * When starting a sandboxed interpreter, it starts with a fresh built-in and
   global namespace that is not shared with the interpreter that started it.
  Objects in the built-in namespace should be safe to use
- [``Reading/Writing Files`_].
+ [`Reading/Writing Files`_, `Stdin, Stdout, and Stderr`_].
     + Either hide the dangerous ones or cripple them so they can cause no harm.
 
 There are also some features that might be desirable, but are not being
@@ -903,12 +902,15 @@
 instances of cStringIO.  Explicit allowance of the process' stdin, stdout, and
 stderr is possible.
 
+This will protect the 'print' statement, and the built-ins input() and
+raw_input().
+
 
 Why
 --------------
 
 Interference with stdin, stdout, or stderr should not be allowed unless
-desired.
+desired.  No one wants uncontrolled output sent to their screen.
 
 
 Possible Security Flaws

More information about the Python-checkins mailing list