[Python-Dev] Fw: Security hole in rexec?

Guido van Rossum guido@python.org
Tue, 27 Aug 2002 11:02:24 -0400

> > [rexec compromised by deleting __builtins__]
> > 
> > This has been known for a while, see python.org/sf/577530.
> > 
> > My recommendation is the same as always: don't trust rexec.
> > 
> > --Guido van Rossum (home page: http://www.python.org/~guido/)
> I think it is a VERY BAD idea to advertise publicly that rexec can be 
> used to "safely" restrict execution, while privately (ie, the above 
> postings to a developers-only list and to sourceforge).
> Therefore I propose that the official documentation to the Python 
> Library Reference for the module rexec be modified to add a note saying 
> that rexec is not completely reliable and can be undermined by a 
> knowledgable hacker. The current documentation STRONGLY implies this is 
> NOT the case by explaining in detail the more minor susceptibility to 
> DOS attacks (memory or CPU time) and raising SystemExit.
> Why not add something like the following to the beginning of the module 
> documentation:
> """
> Warning: While the rexec module is designed to perform as described 
> below, it does have a few known vulnerabilities which could be exploited 
> by carefully written code. Thus it should not be relied upon in 
> situations requiring "production ready" security. In such situations, 
> execution via sub-processes (a separate Python executable) or very 
> careful "cleansing" of data to be processed may be necessary. 
> Alternatively, help in patching known rexec vulnerabilities would be 
> welcomed.
> """
> Admitting to library weaknesses (especially in the area of security) 
> doesn't make great PR, but at least it's honest!

Yes.  This should be done.

--Guido van Rossum (home page: http://www.python.org/~guido/)