[Python-Dev] Challenge: Please break this! [Now with blog post]
Samuele Pedroni
pedronis at openend.se
Sat Feb 28 16:53:09 CET 2009
Guido van Rossum wrote:
> On Mon, Feb 23, 2009 at 3:16 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>
>>> Don't I remember the previous restricted module dying a similar "death
>>> of 1,000 cuts" before it was concluded to be unsafe at any height and
>>> abandoned?
>>>
>> I think you are slightly misremembering. It got cut again and again,
>> but never died. Then, new-style classes hit an artery, and it bled
>> to death.
>>
>> I'm curious how this one fares.
>>
>
> FWIW, I am remembering more about how Samuele cracked it. It had to do
> with getting the supervisor code to call one of its own functions with
> arguments provided by the sandboxed code. Tav's safelite.py doesn't
> seem to be directly exploitable that way because (using ctypes hacks)
> it *removes* some offending special methods. But that door would be at
> least slightly ajar with Tar's proposed patch to Python, as that
> doesn't remove the offending attributes (__subclasses__ etc.); it only
> forbids them in restricted mode. But this once again enables Samuele's
> hack. (Oh if I only could find the link with the actual attack -- it
> was quite a bit more devious than attacks linked to so far.)
>
>
http://mail.python.org/pipermail/python-dev/2003-March/033978.html
More information about the Python-Dev
mailing list