Replacing rexec

[Aahz]

In article <mailman.1058378245.3305.python-list at python.org>,
Tim Gerla  <tgerla at outsourcefinancial.com> wrote:
>
>We are looking to use plpython in PostgreSQL, but it's being downgraded
>to "untrusted" and/or being completely removed because Python's rexec
>went away. Why did rexec go away, specifically? I know it had security
>issues, but couldn't these have been fixed? Did the module just have too
>many integral flaws in the design to be worth saving?

There are two separate issues:

* rexec implementation -- it never had a true security audit, and there
have never been resources to do it.

* rexec vs new-style classes -- the basic mechanism used in rexec fails
in the fact of new-style classes, which would require a complete rewrite
of rexec.

>Is anyone working on a replacement? If not, why not? Even if plpython
>isn't very widely used, I think it's still important for advocacy. I'd
>much rather write Python than PL.

There's been some talk, but it's likely that a secure Python will
require forking the code.  Note that it's already too easy to write a
DoS attack against Python: 100L**100**100 will do it.  Conversely, if
only trusted code is going into the server, there's no need for rexec.

>Anyway, I'm looking for a summary of specific reasons why rexec went
>away without a replacement. I understand completely that it had flaws
>and was insecure; I'm only confused as to why these flaws were
>insurmountable.

Take a look at http://www.amk.ca/python/howto/rexec/
-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

A: No.
Q: Is top-posting okay?