Embedding Python in Python
JCM
joshway_without_spam at myway.com
Thu Aug 19 09:00:25 EDT 2004
Paul Rubin <http://phr.cx@nospam.invalid> wrote:
...
>> > Hint:
>> > e = vars()['__builtins__'].eval
>> > print e('2+2')
>>
>> I don't think it's as difficult as you think. Your snippet of code
>> would be rejected by the rules I suggested. You'd also want to
>> prohibit other builtins like compile, execfile, input, reload, vars, etc.
> I don't see how. Your rules were to disallow:
> 1) exec statements. My example doesn't use it.
> 2) eval identifier. My example uses eval as an attribute and not an
> identifier. You can eliminate the use of eval as an attribute with
> e = getattr(vars()('__builtins__'), 'ev'+'al').
> Now not even the string 'eval' appears in one piece.
You've used eval an as identifier (at least by the terminology to
which I'm accustomed), just not as a variable.
> 3) identifiers like __this__. My example doesn't use any. It
> uses a constant string of that form, not an identifier. The
> string could be computed instead, like the eval example above.
> 4) import statements. My example doesn't use them.
> Conclusion, my example gets past your suggested rules. I also
> didn't use compile, execfile, input, or reload. I did use vars but
> there are probably other ways to do the same thing. You can't take
> something full of holes and start plugging holes until you think you
> found them all. You have to start with something that has no holes.
It's fine to look at it that way. Start with a subset of Python that
you know to be safe, for example only integer literal expressions.
Keep adding more safe features until you're satisfied with the
expressiveness of your subset.
> The Python crowd has been through this many times already; do some
> searches for rexec/Bastion security.
I did do a [quick] search, and saw a lot of articles about how rexec
and Bastion were insecure; but I didn't find any arguments about how
it's (too) difficult to come up with a safe subset of Python, for some
definition of "safe".
More information about the Python-list
mailing list