[Python-Dev] Fw: Security hole in rexec?

Michael Chermside mcherm@destiny.com
Tue, 27 Aug 2002 08:58:16 -0400

> [rexec compromised by deleting __builtins__]
> This has been known for a while, see python.org/sf/577530.
> My recommendation is the same as always: don't trust rexec.
> --Guido van Rossum (home page: http://www.python.org/~guido/)

I think it is a VERY BAD idea to advertise publicly that rexec can be 
used to "safely" restrict execution, while privately (ie, the above 
postings to a developers-only list and to sourceforge).

Therefore I propose that the official documentation to the Python 
Library Reference for the module rexec be modified to add a note saying 
that rexec is not completely reliable and can be undermined by a 
knowledgable hacker. The current documentation STRONGLY implies this is 
NOT the case by explaining in detail the more minor susceptibility to 
DOS attacks (memory or CPU time) and raising SystemExit.

Why not add something like the following to the beginning of the module 

Warning: While the rexec module is designed to perform as described 
below, it does have a few known vulnerabilities which could be exploited 
by carefully written code. Thus it should not be relied upon in 
situations requiring "production ready" security. In such situations, 
execution via sub-processes (a separate Python executable) or very 
careful "cleansing" of data to be processed may be necessary. 
Alternatively, help in patching known rexec vulnerabilities would be 

Admitting to library weaknesses (especially in the area of security) 
doesn't make great PR, but at least it's honest!

-- Michael Chermside