[Python-checkins] r51757 - python/branches/bcannon-objcap/securing_python.txt

brett.cannon python-checkins at python.org
Wed Sep 6 02:01:52 CEST 2006 

Author: brett.cannon
Date: Wed Sep  6 02:01:50 2006
New Revision: 51757

Modified:
   python/branches/bcannon-objcap/securing_python.txt
Log:
Cleanup Status; remove implementation details of a safe PyFile C API and remove
built-in functions that were questioned whether they were safe.


Modified: python/branches/bcannon-objcap/securing_python.txt
==============================================================================
--- python/branches/bcannon-objcap/securing_python.txt	(original)
+++ python/branches/bcannon-objcap/securing_python.txt	Wed Sep  6 02:01:50 2006
@@ -15,14 +15,6 @@
           subclasses are actually worth something. [done]
         * Create PyFile_Safe*() version of C API that goes through
           open() built-in.
-            + Convert C strings to Python objects and do a direct
-              call.
-            + Since I/O-bound anyway going from C->Python->C should
-              not be a large performance penalty.
-            + Function also not called in a tight loop which also
-              makes less of a performance-critical operation.
-            + Might need to add some C code for easily accessing
-              built-in objects.
     - code [done]
         * Add objcap.code_new() function [done]
     - frame
@@ -34,14 +26,13 @@
 + Sandboxed versions of built-ins (`Sanitizing Built-In Types`_)
     - open()
     - __import__() / PEP 302 importer (`Imports`_)
-    - compile() (?)
-    - eval() (?)
     - execfile()
-    - exit() (XXX verify if it kills the interpreter or the process;
-      should also check raising SystemExit)
-    - input() / raw_input()  (XXX make sure it gets its stdin from sys.stdin
-        and not sys.__stdin__)
-    - globals() / vars() (?)
+        * Force to go through open()
+            + Prevents opening unauthorized files.
+            + Prevents using as a way to probe filesystem.
+    - exit() 
+        * XXX verify that raising SystemExit in a sub-interpreter only
+          exits that sub-interpreter and not the process.
 + Filesystem path hiding (`Filesystem Information`_)
 + Tweaked stdlib modules
     - mini 'sys' module (`Making the ``sys`` Module Safe`_)
@@ -539,8 +530,6 @@
     + Will definitely use the ``open()`` built-in.
 * code objects
 * XXX sockets?
-* XXX type?
-* XXX
 
 
 Filesystem Information
@@ -574,7 +563,6 @@
 * ``object``
     + ``__subclasses__()`` function
         - Remove the function; never seen used in real-world code.
-* XXX
 
 
 Perimeter Defences Between a Created Interpreter and Its Creator

More information about the Python-checkins mailing list