Replacing rexec

John J. Lee jjl at pobox.com
Thu Jul 17 14:17:54 CEST 2003


aahz at pythoncraft.com (Aahz) writes:
[...]
> There's been some talk, but it's likely that a secure Python will
> require forking the code.  Note that it's already too easy to write a
> DoS attack against Python: 100L**100**100 will do it.  Conversely, if
> only trusted code is going into the server, there's no need for rexec.
[...]

I don't see how it's possible to prevent that, whatever language
you're using.

http://www.securingjava.com/chapter-four/chapter-four-3.html

| It is ironic that some of the most Java-heavy Web pages almost go as
| far as denial of service in doing what their programmers intended

<0.3 wink>

Isn't it true that the only solution to a program taking up too much
of a system's resources is to cap its resource usage, or stop it
running?  Usually, it's the OSs job to do that (which you might view
as almost the definition of an OS, perhaps) -- is that a bad thing?


John




More information about the Python-list mailing list