List comprehension - NameError: name '_[1]' is not defined ?
mario ruggier
mario.ruggier at gmail.com
Thu Jan 15 16:52:46 EST 2009
On Jan 15, 9:36 pm, Mark Wooding <m... at distorted.org.uk> wrote:
> mario ruggier <mario.rugg... at gmail.com> writes:
> > Some info on its security is at:
> >http://evoque.gizmojo.org/usage/restricted/
> > Tell you what, if you find a security hole there (via exposed template
> > source on a Domain(restricted=True) setup) I'll offer you a nice
> > dinner (including the beer!) somewhere, maybe at some py conference,
> > but even remotely if that is not feasible... ;-) The upcoming 0.4
> > release will run on 2.4 thru to 3.0 -- you can have some fun with that
> > one (the current 0.3 runs on 2.5 and 2.6).
>
> I'm pretty sure I can break this on 3.0, because the f_restricted frame
> flag has gone. Here's how:
>
> >>> import template, domain
> >>> dom = domain.Domain('/tmp/mdw/', restricted = True, quoting = 'str')
> >>> t = template.Template(dom, 'evil', from_string = True, src =
> >>> "${inspect.func_globals['_'*2+'builtins'+'_'*2].open('/tmp/mdw/target').read()}")
>
> 2009-01-15 20:30:29,177 ERROR [evoque] RuntimeError: restricted
> attribute: File "<string>", line 1, in <module>
> : EvalError(inspect.func_globals['_'*2+'builtins'+'_'*2].open('/tmp/mdw/target').read())
> u'[RuntimeError: restricted attribute: File "<string>", line 1, in
> <module>\n:
> EvalError(inspect.func_globals[\'_\'*2+\'builtins\'+\'_\'*2].open(\'/tmp/mdw/target\').read())]'
>
> which means that it's depending on the func_globals attribute being
> rejected by the interpreter -- which it won't be because 3.0 doesn't
> have restricted evaluation any more.
$ touch /tmp/mdw.test
mr:evoque mario$ python3.0
Python 3.0 (r30:67503, Dec 8 2008, 18:45:31)
[GCC 4.0.1 (Apple Inc. build 5465)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from evoque import domain, template
>>> d = domain.Domain("/", restricted=True, quoting="str")
>>> t = template.Template(d, "mdw1", from_string=True, src="${inspect.func_globals['_'*2+'builtins'+'_'*2].open('/tmp/mdw.test').read()}")
>>> t.evoque()
2009-01-15 22:26:18,704 ERROR [evoque] AttributeError: 'function'
object has no attribute 'func_globals': File "<string>", line 1, in
<module>
: EvalError(inspect.func_globals['_'*2+'builtins'+'_'*2].open('/tmp/
mdw.test').read())
'[AttributeError: \'function\' object has no attribute \'func_globals
\': File "<string>", line 1, in <module>\n: EvalError
(inspect.func_globals[\'_\'*2+\'builtins\'+\'_\'*2].open(\'/tmp/
mdw.test\').read())]'
But even if inspect did have the func_globals attribute, the "open"
builtin will not be found on __builtins__ (that is cleaned out when
restricted=True).
But, I guess it is necessary to keep an eye on what is available/
allowed by the different python versions, and adjust as needed,
probably to the lowest common denominator. In addition to what is
mentioned on the doc on evoque's resticted mode at the above URL, do
you have specific suggestions what may be a good idea to also block
out?
> Python is very leaky. I don't think trying to restrict Python execution
> is a game that's worth playing.
It may not be worth risking your life on it, but it is certainly worth
playing ;-)
Thanks.. with you permission I am adding your evil expression to the
restricted tests?
Cheers, mario
> -- [mdw]
More information about the Python-list
mailing list