[Python-Dev] Fw: Security hole in rexec?
Tue, 27 Aug 2002 08:58:16 -0400
> [rexec compromised by deleting __builtins__]
> This has been known for a while, see python.org/sf/577530.
> My recommendation is the same as always: don't trust rexec.
> --Guido van Rossum (home page: http://www.python.org/~guido/)
I think it is a VERY BAD idea to advertise publicly that rexec can be
used to "safely" restrict execution, while privately (ie, the above
postings to a developers-only list and to sourceforge).
Therefore I propose that the official documentation to the Python
Library Reference for the module rexec be modified to add a note saying
that rexec is not completely reliable and can be undermined by a
knowledgable hacker. The current documentation STRONGLY implies this is
NOT the case by explaining in detail the more minor susceptibility to
DOS attacks (memory or CPU time) and raising SystemExit.
Why not add something like the following to the beginning of the module
Warning: While the rexec module is designed to perform as described
below, it does have a few known vulnerabilities which could be exploited
by carefully written code. Thus it should not be relied upon in
situations requiring "production ready" security. In such situations,
execution via sub-processes (a separate Python executable) or very
careful "cleansing" of data to be processed may be necessary.
Alternatively, help in patching known rexec vulnerabilities would be
Admitting to library weaknesses (especially in the area of security)
doesn't make great PR, but at least it's honest!
-- Michael Chermside