[Python-Dev] Some news from my sandbox project
Robert Collins
robertc at robertcollins.net
Sat Sep 18 10:39:58 CEST 2010
On Sat, Sep 18, 2010 at 8:24 PM, Greg Ewing <greg.ewing at canterbury.ac.nz> wrote:
> Victor Stinner wrote:
>
>> I'm still developing irregulary my sandbox project since last june.
>
>> Today, the biggest problem is the creation of a read only view of the
>> __builtins__ dictionary.
>
> Why do you think you need to do this? What form of attack
> would a writable __builtins__ expose you to that would be
> prevented by making it read-only?
>
> Seems to me that the only way you could exploit a writable
> __builtins__ would be to put a function in there that does
> something bad. But if you can create or obtain such a
> function in the first place, you can just call it directly.
__builtins__ is in everyone's global namespace, so if it can be
mutated, different python programs running in the same sandbox can
affect each other.
Ditto sys.modules and os environ, but I guess that those are already addressed.
-Rob
More information about the Python-Dev
mailing list