Creating instances of untrusted new-style classes
Devan L
devlai at gmail.com
Fri May 26 00:29:31 EDT 2006
Ben Finney wrote:
> "Devan L" <devlai at gmail.com> writes:
>
> > Is there any safe way to create an instance of an untrusted class
>
> Why are you instantiating classes you don't trust?
>
> > without consulting the class in any way?
> If you don't "consult the class", how can the instance be created
> properly?
>
When my program runs (CGI), the following happens:
* User enters source, which is executed in a restricted environment,
which unserializes a previously serialized environment if there is one.
* The restricted environment is serialized, including any instances
they may have instantiated.
So when I unserialize their instances, I have to recreate them, but
without calling any of their code (I can't run the unserializing code
in a restricted environment). Instances of old-style classes can be
created without touching the actual old-style class code, but I'm not
sure how, if it's possible, to do the same with new-style classes
- Devan
More information about the Python-list
mailing list