[Python-Dev] Restricted interpreter

Guido van Rossum guido@python.org
Fri, 08 Nov 2002 16:15:12 -0500


> > Are you aware of the standard library module 'rexec'?
> 
> In fileobject.c:
> 
> /* rexec.py can't stop a user from getting the file() constructor --
>    all they have to do is get *any* file object f, and then do
>    type(f).  Here we prevent them from doing damage with it. */
> if (PyEval_GetRestricted()) {
> 
> It looks like I was going to reinvent the wheel.

Glad you noticed. ;-)

> Is this being used in some project you know about?

Not that I'm aware of, and in fact we've plugged enough security leaks
in it so far that I'm not eager to recommend.  But then, your
reinvented wheel would have the same problem.

> Btw, what's the point of FileWrapper, having in mind that it stores
> 'f' as an accessible attribute?
> 
> >>> r.s_exec("""import sys; print sys.stdout.f""")
> <open file '<stdout>', mode 'w' at 0x100eec30>

Beats me!  It looks like a debugging hack that accidentally made it
into the code; the code works just as well without self.f, it seems.

Unclear if there's any damage, since FileWrapper is only used to wrap
stdin, stdout and stderr.

But this amplifies the warning about rexec's viability.

Maybe you can use the time you were going to spend on reinventing
rexec for a security audit instead...

--Guido van Rossum (home page: http://www.python.org/~guido/)