[Python-Dev] Re: Capabilities

Jeremy Hylton jeremy@alum.mit.edu
10 Mar 2003 12:26:26 -0500

On Sun, 2003-03-09 at 14:09, Samuele Pedroni wrote:
> maybe the question was unclear, but it was serious, what I was asking is
> whether some restricted code can do:
> try:
>   deliberate code to force exception
> except Exception,e:
>  ...
> so that e is caught unproxied. Looking at zope/security/_proxy.c it seems this
> can be the case...
> then to be (likely) on the safe side, all exception class definitions for
> possible e classes: like e.g.
> class MyExc(Exception):
>     ...
> ought to be executed _in restricted mode_, or be "trivial/empty": something
> like
> class MyExc(Exception):
>     def __init__(self, msg):
>         self.message = msg
>         Exception.__init__(self, msg)
>     def __str__(self):
>         return self.message
> is already too much rope.
> Although it seems not to have the "nice" two-level-of-calls behavior of Bastion
> instances, an unproxied instance of MyExc if MyExc was defined outside of
> restricted execution, can be used to break out of restricted execution.

Exceptions do seem like a problem.  If the exception objects are defined
in the safe interpreter, then untrusted code that catches an exception
can't follow references to an unsafe interpreter.  But it can modify the
exception objects and classes, which has the potential to cause a lot of

It also complicates the design of systems that want to run untrusted
code, because they must be very careful never to pass trusted exception
instances to untrusted code.

It seems like it would be nice if proxies could be used as exceptions,
so that there was a simple mechanism to enforce protection.