Hardening enviroment by overloading __import__?
steven.bethard at gmail.com
Thu Jun 23 23:41:43 CEST 2005
Steve Juranich wrote:
> I have in some code an 'eval', which I hate, but it's the shortest
> path to where I need to get at this point.
What's this code trying to do? If you care about malicious code at all,
you'll avoid 'eval' completely. A couple reasons why:
With only a little trouble, I can get to the file object and write stuff
to your machine:
Sure, you can avoid this by supplying your own __builtins__ to disable
the file constructor:
Traceback (most recent call last):
File "<interactive input>", line 1, in ?
File "<string>", line 0, in ?
IOError: file() constructor not accessible in restricted mode
But even without the file constructor, I can still access pretty much
any attribute of any class object by looking at object.__subclasses__():
py> class C(object):
... def __init__(self):
... self.f = file('temp.txt', 'w')
Moral of the story: don't use eval if you care about security!
More information about the Python-list