List comprehension - NameError: name '_' is not defined ?
mdw at distorted.org.uk
Thu Jan 15 21:36:36 CET 2009
mario ruggier <mario.ruggier at gmail.com> writes:
> Some info on its security is at:
> Tell you what, if you find a security hole there (via exposed template
> source on a Domain(restricted=True) setup) I'll offer you a nice
> dinner (including the beer!) somewhere, maybe at some py conference,
> but even remotely if that is not feasible... ;-) The upcoming 0.4
> release will run on 2.4 thru to 3.0 -- you can have some fun with that
> one (the current 0.3 runs on 2.5 and 2.6).
I'm pretty sure I can break this on 3.0, because the f_restricted frame
flag has gone. Here's how:
>>> import template, domain
>>> dom = domain.Domain('/tmp/mdw/', restricted = True, quoting = 'str')
>>> t = template.Template(dom, 'evil', from_string = True, src =
2009-01-15 20:30:29,177 ERROR [evoque] RuntimeError: restricted
attribute: File "<string>", line 1, in <module>
u'[RuntimeError: restricted attribute: File "<string>", line 1, in
which means that it's depending on the func_globals attribute being
rejected by the interpreter -- which it won't be because 3.0 doesn't
have restricted evaluation any more.
Python is very leaky. I don't think trying to restrict Python execution
is a game that's worth playing.
More information about the Python-list