Untrusted code execution
Steven D'Aprano
steve at pearwood.info
Fri Apr 8 01:26:34 EDT 2016
On Fri, 8 Apr 2016 12:25 am, Jon Ribbens wrote:
> On 2016-04-07, Chris Angelico <rosuav at gmail.com> wrote:
>> Options 1 and 2 are nastily restricted. Option 3 is likely broken, as
>> exception objects carry tracebacks and such.
>
> Everything you're saying here is assuming that we must not let the
> attacker see any exception objects, but I don't understand why you're
> assuming that. As far as I can see, the information that exceptions
> hold that we need to prevent access to is all in "__" attributes that
> we're already blocking.
You might be right, but you're putting a lot of trust in one security
mechanism. If an attacker finds a way around that, you're screwed. "Defence
in depth" and "default deny" is, in my opinion, better: prevent the
untrusted user from seeing everything except those things which are proven
to be safe.
--
Steven
More information about the Python-list
mailing list