Try Python update
Devan L
devlai at gmail.com
Fri Jan 6 19:40:09 EST 2006
Mike Meyer wrote:
> Xavier Morel <xavier.morel at masklinn.net> writes:
[Old message and Xavier's question]
[Mike's reply to Xavier]
>
> > Since Python doesn't have any way to secure the interface built-in,
> > i'd be interrested in that.
>
> Devan apparently doesn't have as cooperative an ISP, and is working on
> securing the interpreter. What he's done may be more interesting.
It's not particularily interesting. The C code simply has more
attributes restricted in restricted mode, disabling in particular
__subclasses__. The rest is creating safe __builtins__ and only giving
them some modules (but again, importing is still largely broken,
although one liners are still possible).
In any case, I don't know how secure it actually is, since nobody seems
to go further than import os or import sys. So if you're bored, you can
try to break into it. I haven't secured modjelly entirely, and it might
be possible to trick modjelly into executing code by using descriptors
when it tries to pull out all of the information. Then again, I haven't
even added support for properties in it yet. Plus it has no support for
if you delete critical attributes which are needed to recreate the
object. Still, I think it's good enough to deter any random person from
trying to wipe the server for now.
More information about the Python-list
mailing list