[Python-Dev] new features for 2.3?

[Samuele Pedroni]

From: "Guido van Rossum" <guido@python.org>


> > I have always wondered, why does both ``cPickle`` (which uses camel-style
> > naming which I thought was a no-no)  and ``Pickle``?  They do exactly the
> > same thing (in theory).
>
> pickle.py is the specification of the protocol; cPickle.c is a
> reimplementation that's up to 1000x faster.  I always prototype new
> features in pickle.py.
>
> > Is there any other place where security has been built into
> > something?  Sounds like we should do a security inaudit (is that a
> > word?) and rip out pretty much all security code.
>
> There's very little code devoted specifically to security.  However,
> there's a feature called "restricted mode", and in restricted mode,
> certain introspections are disallowed.  Restricted mode is on when a
> particular stack frame's __builtins__ dictionary isn't the default one
> (which is __builtin__.__dict__ -- note the difference between
> __builtin__, which is a module, and __builtins__, which is a global
> with magic meaning).  Read the source for PyFrame_New().
>
> It turns out that in 2.2 and beyond, not enough restrictions were
> placed on disallowing new introspections that were enabled by virtue
> of the class/type integration, and that's the cause of most rexec
> vulnerabilities.

you may want to look the places where PyEval_GetRestricted() is called, it is
used to check whether restricted execution is in place.
There are too few of those checks... and anyway blocking things in this adhoc
way is a fragile strategy.