[Python-Dev] Challenge: Please break this! [Now with blog post]
tav
tav at espians.com
Tue Feb 24 14:29:26 CET 2009
antoine> You'd better make __builtins__ read-only, it will
antoine> plug a whole class of attacks like this.
I tried to put this off as long as I could to try and unearth
interesting attacks.
But unfortunately I couldn't figure out a way to fix the warnings
approach used by Daniel without doing this -- so from v7 __builtins__
isn't shared any more.
The good thing is that we won't have more of the __builtins__ class of
attacks -- the flip side is that we might be closing the door on
discovering some really interesting gems...
andrew> I can look up the stack frames and get
andrew> "open_file", which I can then use for whatever I want.
Ehm, thanks for taking the time to implement that Andrew.
But the challenge was about doing `from safelite import FileReader`.
I specifically stated that form over the openly exploitable `import
safelite`... so, sorry =(
You have to remember that this isn't the way that this code will
actually be used in practise. This is just a challenge to see if the
model holds...
--
love, tav
plex:espians/tav | tav at espians.com | +44 (0) 7809 569 369
http://tav.espians.com | http://twitter.com/tav | skype:tavespian
More information about the Python-Dev
mailing list