[Python-Dev] Restricted interpreter

Gustavo Niemeyer niemeyer@conectiva.com
Fri, 8 Nov 2002 20:55:23 -0200


> Unclear if there's any damage, since FileWrapper is only used to wrap
> stdin, stdout and stderr.

Yes, they probably could be even left unchanged in the restricted code.

> But this amplifies the warning about rexec's viability.
> 
> Maybe you can use the time you were going to spend on reinventing
> rexec for a security audit instead...

Good idea. Here's a first major problem:

class S(str):
    def __eq__(self, obj):
        return 1
open("/tmp/foo", S("w")).write("Ouch!")

I'll keep looking..

-- 
Gustavo Niemeyer

[ 2AAC 7928 0FBF 0299 5EB5  60E2 2253 B29A 6664 3A0C ]