[Python-Dev] Internal namespace proposal

Armin Rigo arigo at tunes.org
Thu Jul 27 13:30:17 CEST 2006 

Hi David,

Your proposal is too vague to be useful.  In Python I would not feel
that any compiler-enforced restrictions are going to be too restrictive,
and so I believe that your approach is not viable, but I cannot give you
many concrete examples of why before you come up with a more concrete
specification.

More importantly, this is going to depend critically on a restricted
interpreter in the first place, in the sense of Brett, but the safety of
your proposal depends on the restricted interpreter forbidding many
operations that it would not otherwise forbid for its original goal.
For example, in Brett's use case there is no need to prevent reading the
'func_globals' attribute of function objects, but if that's allowed,
then accessing any _attribute of any module is easy.

About special methods: how do built-in functions like str(), int(), and
so on, know in which context they are called?  Surely you don't propose
that '2+3' should be invalid because it accesses the hidden attribute '2
.__add__' ?

How would you formulate a rule in term on Python's attribute look-up
algorithm to prevent the following trivial attack? :

x.py:
    
    # supposedly secure?

    _hidden = [1,2,3]

    class A:
        def __init__(self):
            self._authorized = ...
        def read(self):
            if not self._authorized:
                raise Forbidden
            return _hidden

attack.py:

    import x
    class B(x.A):
        def __init__(self):
            self._authorized = True

    b = B()
    print b.read()   # => [1,2,3]

On any real-life example I'm sure that hacks like overriding selected
methods on the instance itself would allow an attacker to confuse the
remaining methods enough to leak hidden information.

Here is a metaclass attack against the rule "self._attr is only allowed
if syntactically inside the class definition of the exact class of
self":

    class SupposedlySecure(object):
        _hidden = [1,2,3]


    class MetaAttack(type):
        def read(self):
            return self._hidden   # seen as an instance attribute

    class Attack(SupposedlySecure):
        __metaclass__ = MetaAttack

    print Attack.read()


A bientot,

Armin.

More information about the Python-Dev mailing list