Embedding Python in Python
Paul Rubin
http
Wed Aug 18 17:58:11 EDT 2004
JCM <joshway_without_spam at myway.com> writes:
> >> need to be aggressive, but I believe it's possible. For example,
> >> disallow exec statements, the identifier "eval", any identifier of
> >> __this__ form, import statements, etc. This is overly restrictive,
> >> but it will provide security.
> > Hint:
> > e = vars()['__builtins__'].eval
> > print e('2+2')
>
> I don't think it's as difficult as you think. Your snippet of code
> would be rejected by the rules I suggested. You'd also want to
> prohibit other builtins like compile, execfile, input, reload, vars, etc.
I don't see how. Your rules were to disallow:
1) exec statements. My example doesn't use it.
2) eval identifier. My example uses eval as an attribute and not an
identifier. You can eliminate the use of eval as an attribute with
e = getattr(vars()('__builtins__'), 'ev'+'al').
Now not even the string 'eval' appears in one piece.
3) identifiers like __this__. My example doesn't use any. It
uses a constant string of that form, not an identifier. The
string could be computed instead, like the eval example above.
4) import statements. My example doesn't use them.
Conclusion, my example gets past your suggested rules. I also didn't
use compile, execfile, input, or reload. I did use vars but there are
probably other ways to do the same thing. You can't take something
full of holes and start plugging holes until you think you found them
all. You have to start with something that has no holes. The Python
crowd has been through this many times already; do some searches for
rexec/Bastion security.
More information about the Python-list
mailing list