Replacing open builtin
Jp Calderone
exarkun at divmod.com
Wed May 11 09:15:07 EDT 2005
On 11 May 2005 05:56:04 -0700, rmm at iname.com wrote:
>Sorry, should maybe have used __import__ as an example.
>Let's say I grab import, store the reference within the Isolate class
>and then redirect the builtin import to a function in the Isolate class
>which only allows certain modules to be imported -eg not sys. Would
>this be secure?
>
Probably not. For example:
>>> (1).__class__.__bases__[0].__subclasses__()[-1]('/dev/null')
<open file '/dev/null', mode 'r' at 0xb7df53c8>
Security through subtracting features usually ends up leaving some holes around (because there's just that *one* more thing you missed). What the holes are depends on the details of the implementation, but they pretty much always exist. Making a reference-restricted Python interpreter is a large challenge: you either have to spend a huge amount of effort taking things out of CPython (months and months of development time, at least), or write a new interpreter from scratch.
Older versions of Python thought they had this licked, see the rexec module for the attempt that is no longer maintained.
Jp
More information about the Python-list
mailing list