Replacing open builtin
Steven Bethard
steven.bethard at gmail.com
Fri May 13 17:23:31 EDT 2005
Jp Calderone wrote:
> Probably not. For example:
>
> >>> (1).__class__.__bases__[0].__subclasses__()[-1]('/dev/null')
> <open file '/dev/null', mode 'r' at 0xb7df53c8>
However:
py> eval("(1).__class__.__bases__[0]"
... ".__subclasses__()[16]('/dev/null')",
... dict(__builtins__={}))
Traceback (most recent call last):
File "<interactive input>", line 3, in ?
File "<string>", line 0, in ?
IOError: file() constructor not accessible in restricted mode
Also worth noting that you can't get the builtins through a function's
globals either:
py> eval("(1).__class__.__bases__[0]"
... ".__subclasses__()[17].substitute.func_globals",
... dict(__builtins__={}))
Traceback (most recent call last):
File "<interactive input>", line 3, in ?
File "<string>", line 0, in ?
RuntimeError: restricted attribute
I've read some of the older posts, which suggested that you could
restore __builtins__ using a global declaration and a delete, but I
can't reproduce that bug in current Python.
Note that even if you supply the file object as part of your
__builtins__, the constructor is still not accessible in restricted mode:
py> eval("file('/dev/null')", dict(__builtins__=dict(file=file)))
Traceback (most recent call last):
File "<interactive input>", line 1, in ?
File "<string>", line 0, in ?
IOError: file() constructor not accessible in restricted mode
I believe the official stance is something like: "Well restricted mode
probably works in a lot of cases, but we're not confident enough in it
(having found bugs in it over and over) that we'd suggest it for
production use."
STeVe
More information about the Python-list
mailing list