question about Sandboxing.

Surial surial at crosswinds.net
Fri Aug 10 20:06:41 EDT 2001


In java, you have 2 features which AFAIK are not available in Python, 
which I always assumed to be required for sandboxing:

'final':

If you can't mark things as final, you can subclass a class, pass it
to an 'internal' method, and so trick internal classes is giving
you sensitive information. Imagine, if you could take java's
String class and subclass it.

(you can't; the entire string class
is marked 'final'). You can then make a mutable subclass of
String (java's String is immutable, meaning that after construction
of a String object it cannot change. there is no such thing as
string.setValue("new value"). You'll have to make a new string
if you want to do that.)

So, you pass an instance of your special MutableString to some kind
of internal method that now takes this string and makes sure it's
valid. Since you (the sandboxed application) still have the same
object reference, and it's actually a mutable string, you can now
change the string and the internal method will not be aware of it,
and thus will not perform a validity check.

'private':

take the entire above argument  and adapt it to the fact that
if nothing is truly private, I can change things anyway.
Python's local system (__foobar) actually translates
to __classname_foobar (or so I've read in the python
tutorial), so Joe 'sandboxed' Application can still access
anything.



At least for the private issue I can understand a special
sandboxing application that will disable access to anything
fitting the regexp __.+_.+, but that won't help for
the 'final' issue.



How are these points addressed in RExec? (Python's
sandboxing environment, as I've read).


-- Reinier.




More information about the Python-list mailing list