[Python-Dev] Fw: Security hole in rexec?
Guido van Rossum
guido@python.org
Tue, 27 Aug 2002 11:02:24 -0400
> > [rexec compromised by deleting __builtins__]
> >
> > This has been known for a while, see python.org/sf/577530.
> >
> > My recommendation is the same as always: don't trust rexec.
> >
> > --Guido van Rossum (home page: http://www.python.org/~guido/)
>
> I think it is a VERY BAD idea to advertise publicly that rexec can be
> used to "safely" restrict execution, while privately (ie, the above
> postings to a developers-only list and to sourceforge).
>
> Therefore I propose that the official documentation to the Python
> Library Reference for the module rexec be modified to add a note saying
> that rexec is not completely reliable and can be undermined by a
> knowledgable hacker. The current documentation STRONGLY implies this is
> NOT the case by explaining in detail the more minor susceptibility to
> DOS attacks (memory or CPU time) and raising SystemExit.
>
> Why not add something like the following to the beginning of the module
> documentation:
>
> """
> Warning: While the rexec module is designed to perform as described
> below, it does have a few known vulnerabilities which could be exploited
> by carefully written code. Thus it should not be relied upon in
> situations requiring "production ready" security. In such situations,
> execution via sub-processes (a separate Python executable) or very
> careful "cleansing" of data to be processed may be necessary.
> Alternatively, help in patching known rexec vulnerabilities would be
> welcomed.
> """
>
> Admitting to library weaknesses (especially in the area of security)
> doesn't make great PR, but at least it's honest!
Yes. This should be done.
--Guido van Rossum (home page: http://www.python.org/~guido/)