Untrusted code execution
Random832
random832 at fastmail.com
Thu Apr 7 10:33:03 EDT 2016
On Thu, Apr 7, 2016, at 00:48, Steven D'Aprano wrote:
> Sure, but I'm just demonstrating that the unrestricted builtins are just
> one
> attribute lookup away. And as Chris points out, if you have (say) the os
> module, then:
>
> magic = os.sys.modules[
> ''.join(chr(i-1) for i in
> (96,96,99,118,106,109,117,106,111,116,96,96))
> ][''.join(chr(i+17) for i in (84,101,80,91))]
I think you probably would not want to allow it access to any "real"
modules, but only proxy objects that allow either a specific set of
names (there are almost certainly functions in os that you don't want,
beyond the imported sys) or something general like "any public
[non-underscore] function/class/variable" (if the module itself has been
examined and exporting this full subset passes security standards); in
the latter case any imported modules would likewise be replaced with the
sandbox's fake module, so os.sys gives you the same thing that import
sys does (though, os in particular would be insane to give blanket
access to, but my test code works for fractions.sys)
More information about the Python-list
mailing list