Is python buffer overflow proof?

Fuzzyman fuzzyman at gmail.com
Fri Aug 7 22:52:03 CEST 2009


On Aug 3, 10:04 pm, sturlamolden <sturlamol... at yahoo.no> wrote:
> On 2 Aug, 15:50, Jizzai <jiz... at gmail.com> wrote:
>
> > Is a _pure_ python program buffer overflow proof?
>
> > For example in C++ you can declare a char[9] to hold user input.
> > If the user inputs 10+ chars a buffer overflow occurs.
>
> Short answer: NO
>
> Bounds checking on sequence types is a protection against buffer
> overflow, but is certainly not sufficient.
>
> The Python interpreter is written in C. Python extension modules are
> written in C (or something similar). If you find an unprotected buffer
> in this C code, you can possibly overflow this buffer. This can be
> used for nasty things like corrupting the stack and injecting
> malicious code. There is a reason why the Python sandbox (rexec and
> Bastion modules) was disabled in Python 2.3.
>
> IronPython and Jython provides better protection against buffer
> overflow than CPython, as these interpreters are written in safer
> languages (C# and Java). You thus get an extra layer of protection
> between the Python code and the unsafe C (used in JVM and .NET
> runtimes).

Well, both Java and .NET both have their own FFI that let you do
whatever you want (more or less).

Michael Foord
--
http://www.ironpythoninaction.com/



More information about the Python-list mailing list