[Python-Dev] Reviving restricted mode?

Benjamin Peterson benjamin at python.org
Sun Feb 22 18:54:54 CET 2009

On Sun, Feb 22, 2009 at 10:45 AM, Guido van Rossum <guido at python.org> wrote:
> I've received some enthusiastic emails from someone who wants to
> revive restricted mode. He started out with a bunch of patches to the
> CPython runtime using ctypes, which he attached to an App Engine bug:
> http://code.google.com/p/googleappengine/issues/detail?id=671
> Based on his code (the file secure.py is all you need, included in
> secure.tar.gz) it seems he believes the only security leaks are
> __subclasses__, gi_frame and gi_code. (I have since convinced him that
> if we add "restricted" guards to these attributes, he doesn't need the
> functions added to sys.)

We have to remember that it's quite trivial to segfault the
interpreter with pure Python. (See Lib/test/crashers)

Even if this patch manages to plug all the holes in the current
Python, do we really want to commit our selves to maintaining it
through language evolution which will surely introduce new subtle ways
to circumvent the guard?

IMO, the only fairly close to fool proof method of running restricted
python is through something like the PyPy sandbox where all os level
calls have to be checked by the master process.

> I don't recall the exploits that Samuele once posted that caused the
> death of rexec.py -- does anyone recall, or have a pointer to the
> threads?

It was broken by the introduction of new-style classes:



More information about the Python-Dev mailing list