[Python-Dev] Re: [Python-checkins] CVS: python/dist/src/Python ceval.c,2.207,2.208

Thomas Wouters thomas@xs4all.net
Wed, 11 Oct 2000 20:04:31 +0200

On Wed, Oct 11, 2000 at 10:03:00AM -0500, Guido van Rossum wrote:

> > > > Can't user Python code, fiddling around with bytecode, produce garbled
> > > > bytecode? In that case, it seems  even better to raise an exception.

> > > Yes, they can produce garbled bytecode, and if that is detected, it's
> > > not safe to proceed.  So a fatal error is the right thing.

> > The problem with letting Python code cause fatal errors is that it makes
> > restricted execution much more difficult. Well, something to think about
> > for 2.1...

> Huh?  In restricted execution you shouldn't be allowed to mess with
> bytecode!

Well, I can see what Moshe means. You get a code object passed in, say, an
untrusted pickle or some such. You want to execute it, but you don't want it
to ruin your life. Causing the entire program to quit could be considered
'ruining'. On the other hand, if you can hand-tweak bytecode streams in that
degree, you can f** up a lot more. On the one foot, though, most of the
calls to Py_FatalError (as far as I can see) deal with initialization
failures, or structures to which tweaked bytecode would not have access. On
the other foot, it's probably possible to tweak bytecode to *get* access to
those structures, or at least structures that don't like being dereferenced
or DECREF'd. And there's probably more to consider, but I haven't got any
public appendages left, and there might be children listening ;)

All in all, Guido's probably right... If something like this happens, you
don't want to continue. If the argument to DUP_TOPX is something other than
what compile.c generates (between 1 and 5, inclusive, that is) something
strange is going on internally. Better to quit now than delete
c:\command.com by 'accident'. If people can do this to code being run in
restricted environments, they can probably do worse things, too!

Now I just need an OK from Jeremy, as the maitre d', and I'll check it in.

Thomas Wouters <thomas@xs4all.net>

Hi! I'm a .signature virus! copy me into your .signature file to help me spread!