[Python-Dev] Python and Security

Barry A. Warsaw barry@zope.com
Sun, 20 Jan 2002 18:01:44 -0500


>>>>> "MvL" == Martin v Loewis <martin@v.loewis.de> writes:

    | - invoking exec or eval on a string of unknown origin
    | - unpickling an arbitrary string
    | - performing getattr with a parameter of unknown origin.

Don't forget os.system(), popen(), and friends, i.e. passing
unsanitized strings to the shell.  In my my long rusty Perl
experience, this was the most common reason to use taint strings.

Python OTOH really has very little need to call out to the shell;
almost everything you'd want to do that way can be done in pure
Python.  There are some opportunties for improving string sanitization
for the few instances where os.system() is necessary.

Most of the security issues I've had to deal with in Mailman have been
in library modules -- or the use thereof, not in the language itself.
Things like vulnerabilies in Cookie.py or pickle/marshal, or
cross-site scripting exploits, that kind of thing.  There are also
more subtle issues that would be interesting to explore, like DoS
attacks with thru-the-web regular expression searching, deliberate
form confuddling, and some of the ttw code execution stuff that
e.g. Zope gets into.  Rexec is an incomplete solution to the latter.

-Barry