Challenge: Please break this! [Python Security]
tav
tav at espians.com
Mon Feb 23 15:50:57 EST 2009
Hey all,
As an attempt to convince Python-Dev of the merits of a
functions-based approach to security in Python, I've come up with a
simple challenge.
If enough smart hackers look at this and it holds up, Guido promises
to accept a patch which would enable this on both App Engine and
future Python versions.
So, please try the challenge and let me know how you find it. Thanks!
The challenge is simple:
* Open a fresh Python interpreter and do:
>>> from safelite import FileReader
* You can use FileReader to read files on your filesystem
* Now find a way to *write* to the filesystem from your interpreter
[safelite.py is attached to this mail]
Please note that the aim of this isn't to protect Python against
crashes/segfaults or exhaustion of resources attacks, so those don't
count.
I'm keen to know your experiences even if you don't manage to write to
the filesystem -- and especially if you do!
Dinner and drinks on me for an evening -- when you are next in London
or I am in your town -- to the first person who manages to break
safelite.py and write to the filesystem.
Good luck and thanks! =)
--
love, tav
plex:espians/tav | tav at espians.com | +44 (0) 7809 569 369
http://tav.espians.com | http://twitter.com/tav | skype:tavespian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: safelite.py
Type: text/x-python-script
Size: 5994 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-list/attachments/20090223/8300e359/attachment.bin>
More information about the Python-list
mailing list