[Python-Dev] Capabilities / Restricted Execution
Talin
talin at acm.org
Tue Jul 11 20:10:34 CEST 2006
Scott Dial wrote:
> Phillip J. Eby wrote:
>
>>A function's func_closure contains cell objects that hold the
>>variables. These are readable if you can set the func_closure of some
>>function of your own. If the overall plan includes the ability to restrict
>>func_closure setting (or reading) in a restricted interpreter, then you
>>might be okay.
>
>
> Except this function (__getattribute__) has been trapped inside of a
> class which does not expose it as an attribute. So, you shouldn't be
> able to get to the func_closure attribute of the __getattribute__
> function for an instance of the Guard class. I can't come up with a way
> to defeat this protection, at least. If you have a way, then I'd be
> interested to hear it.
I've thought of several ways to break it already. Some are repairable,
I'm not sure that they all are.
For example, neither of the following statements blows up:
print t2.get_name.func_closure[0]
print object.__getattribute__( t2, '__dict__' )
Still, its perhaps a useful basis for experimentation.
-- Talin
More information about the Python-Dev
mailing list