Untrusted code execution
Jon Ribbens
jon+usenet at unequivocal.co.uk
Thu Apr 7 13:20:38 EDT 2016
On 2016-04-07, Random832 <random832 at fastmail.com> wrote:
> On Thu, Apr 7, 2016, at 08:13, Jon Ribbens wrote:
>> > All the obvious, and even not-so-obvious, attack tools are gone:
>> > eval, exec, getattr, type, __import__.
>
> We don't even need to take these away, per se.
>
> eval and exec could be replaced with functions that perform the
> evaluation with the same rules in the same sandbox.
Ah, that's a good point.
I've put an example script here:
https://github.com/jribbens/unsafe/blob/master/unsafe.py
When run as a script, it will execute whatever Python code you pass it
on stdin.
If anyone can break it (by which I mean escape from the sandbox,
not make it use up all the memory or go into an infinite loop,
both of which are trivial) then I would be very interested.
More information about the Python-list
mailing list