[Python-checkins] r51755 - python/branches/bcannon-objcap/securing_python.txt

Tue Sep 5 23:56:43 CEST 2006

Author: brett.cannon
Date: Tue Sep  5 23:56:41 2006
New Revision: 51755

Modified:
   python/branches/bcannon-objcap/securing_python.txt
Log:
Add more things to look into in terms of possible security issues.

Also add some notes on what in 'sys' might or might not be safe.


Modified: python/branches/bcannon-objcap/securing_python.txt
==============================================================================

--- python/branches/bcannon-objcap/securing_python.txt	(original)
+++ python/branches/bcannon-objcap/securing_python.txt	Tue Sep  5 23:56:41 2006
@@ -4,8 +4,7 @@
 Status
 ///////////////////////////////////////
 
-+ Remove object.__subclasses__ (`Mutable Shared State`_) [done]
-+ Dangerous constructors (`Constructors`_)
++ Dangerous types (`Constructors`_)
     - file
         * Create PyFile_Init() from file_init() [done]
         * Switch current C-level uses of 'file' constructor to
@@ -26,11 +25,24 @@
               built-in objects.
     - code [done]
         * Add objcap.code_new() function [done]
-    - ??? <go through Objects/*>
+    - frame
+        * do not allow importing 'sys' module to get to
+          sys._getframe() or sys._current_frames().
 + Sandboxed versions of built-ins (`Sanitizing Built-In Types`_)
     - open()
     - __import__() / PEP 302 importer (`Imports`_)
-    - ??? <go through built-ins>
+    - compile() (?)
+    - eval() (?)
+    - execfile()
+    - exit() (XXX verify if it kills the interpreter or the process;
+      should also check raising SystemExit)
+    - input() / raw_input()  (XXX make sure it gets its stdin from sys.stdin
+        and not sys.__stdin__)
+    - type() (?)
+    - object()
+        * Remove object.__subclasses__ (`Mutable Shared State`_) [done]
+        * XXX
+    - globals() / vars() (?)
 + Filesystem path hiding (`Filesystem Information`_)
 + Tweaked stdlib modules
     - mini 'sys' module (`Making the ``sys`` Module Safe`_)
@@ -598,7 +610,7 @@
 that will create a faked sys module that has the safe values copied
 into it?
 
-The safe information values are:
+The safe attributes are:
 
 * builtin_module_names
     Information about what might be blocked from importation.
@@ -611,8 +623,8 @@
 * __displayhook__ (?)
 * __excepthook__ (?)
 * exc_info() (?)
-* exc_clear()
-* exit()
+* exc_clear() (XXX double-check exceptions unique to each interpreter)
+* exit() (XXX make sure only exits interpreter and not process)
 * exitfunc
 * getcheckinterval()
     Returns an int.
@@ -624,8 +636,9 @@
     Returns an int about the interpreter.
 * hexversion
     Set to an int about the interpreter.
-* last_type
-* last_value
+* last_type (XXX make sure doesn't return value from creating
+                interpreter) 
+* last_value (XXX see last_type worry)
 * last_traceback (?)
 * maxint
     Set to an int that exposes ambiguous information about the
