[Python-Dev] Challenge: Please break this! [Now with blog post]

tav tav at espians.com
Tue Feb 24 16:23:47 CET 2009 

Hey Andrew & Victor,

  tav> But the challenge was about doing `from safelite import FileReader`.

  Andrew> Though it doesn't say so on the first post on this thread
  Andrew> nor your page at
  Andrew> http://tav.espians.com/a-challenge-to-break-python-security.html

Sorry, perhaps I should have clearly instructed NOT to do `import safelite`.

I thought the following text would have been clear enough:

  Open a fresh Python interpreter and do:
  >>> from safelite import FileReader

But I can see how that might not have been enough. I'll amend the
second line to:

  >>> from safelite import FileReader # AND NOT ``import safelite``

Would that be clearer?

  Andrew> I haven't been watching this discussion closely
  Andrew> and I can't find mention of this

Sorry, the discussion has been meandering. It started on:

* http://code.google.com/p/googleappengine/issues/detail?id=671

Then went onto:

* http://codereview.appspot.com/21043/show

And finally ended up here on Python-Dev to get approval for the patch.
And in the process of getting the approval, the safelite challenge
started...

  Andrew> is the goal to support only 2.x or also support
  Andrew> Python 3? Your model seems to assume 2.x
  Andrew> only, and there may be 3.x attacks that aren't
  Andrew> considered in the challenge.

The model is suited for both 2.x and 3.x. The safelite test on the
other hand is targeted at 2.x (starting from 2.5).

You have a point with regards to there being 3.x attacks being out
there. Perhaps we can get a 3.x compatible version of safelite out?

  tav> And instead of trying to make tb_frame go away, I'd like
  tav> to add the following to my proposed patch of
  tav> RESTRICTED attributes [snip]

  Andrew> which of course would make the above no longer work.

The challenge helped identify those attributes. And will hopefully
identify any other "leak" attributes which may still be there.

  Andrew> A goal is to use this in App Engine, yes?

Yes.

  Andrew> Which uses cgitb to report errors? Which needs these
  Andrew> restricted frame attributes to report the values of
  Andrew> variables when the error occurred?

The frame attributes will still be accessible by cgitb. Python's
existing IsRestricted framework in the interpreter will take care of
that.

It's genius!!

  Victor> We should be able to restore the original environment.
  Victor> Example:

  Victor> jail(evil_func)  # called in the jail
  Victor> # unsafe environment with __subclasses__, f_code, etc.

Hmz, Python's IsRestricted already enables this.

I think it's time that I wrote some documentation that Martin wanted
explaining Python's already existing IsRestricted support.

Besides a few lines here and there, there seems to be no comprehensive
documentation on this that I can find anywhere. And I think this may
be the cause of much confusion?

Would that help?

-- 
love, tav

plex:espians/tav | tav at espians.com | +44 (0) 7809 569 369
http://tav.espians.com | http://twitter.com/tav | skype:tavespian

More information about the Python-Dev mailing list