Turning String into Numerical Equation
Steven Bethard
steven.bethard at gmail.com
Tue Mar 15 10:59:41 EST 2005
Steven Bethard wrote:
> Yeah, I was concerned about the same thing, but I realized that I can't
> actually access any of the func_globals attributes:
>
> py> eval('(1).__class__.mro()[-1].__subclasses__()[17]'
> ... '.substitute.func_globals', dict(__builtins__=None))
> Traceback (most recent call last):
> File "<interactive input>", line 2, in ?
> File "<string>", line 0, in ?
> RuntimeError: restricted attribute
>
> AFAIK, you need to get to func_globals to do anything really
> interesting. (You can get file through object, but you can't get
> __import__ AFAIK. So you can read and write files which means you can
> create a DOS attack, but I don't know how to do the eqivalent of, say,
> 'rm -rf /'.)
Hmm... I also can't access the file constructor:
py> eval("(1).__class__.mro()[-1].__subclasses__()[16]"
... "('temp.txt', 'w').write('')", dict(__builtins__=None))
Traceback (most recent call last):
File "<interactive input>", line 2, in ?
File "<string>", line 0, in ?
IOError: file() constructor not accessible in restricted mode
STeVe
More information about the Python-list
mailing list