Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #106521
| Newsgroups | comp.lang.python |
|---|---|
| Date | 2016-04-05 07:17 -0700 |
| References | <slrnng31v9.19u.jon+usenet@wintry.unequivocal.co.uk> <slrnng7gj4.19u.jon+usenet@wintry.unequivocal.co.uk> |
| Message-ID | <58de161a-ecdb-4ada-aab5-871876ea1574@googlegroups.com> (permalink) |
| Subject | Re: Untrusted code execution |
| From | Rustom Mody <rustompmody@gmail.com> |
On Tuesday, April 5, 2016 at 7:19:39 PM UTC+5:30, Jon Ribbens wrote:
> On 2016-04-03, Jon Ribbens wrote:
> > I'd just like to say up front that this is more of a thought experiment
> > than anything else, I don't have any plans to use this idea on any
> > genuinely untrusted code. Apart from anything else, there's the
> > denial-of-service issue.
> >
> > That said, is there any way that the following Python 3.4 code could
> > result in a arbitrary code execution security hole?
> >
> > tree = compile(untrusted_code, "<script>", "eval", ast.PyCF_ONLY_AST)
> > for node in ast.walk(tree):
> > if (isinstance(node, ast.Name) and node.id.startswith("_") or
> > isinstance(node, ast.Attribute) and node.attr.startswith("_")):
> > raise ValueError("Access to private values is not allowed.")
> > namespace = {"__builtins__": {"int": int, "str": str, "len": len}}
> > print(eval(compile(tree, "<script>", "eval"), namespace))
>
> Nobody has any thoughts on this at all?
i actually did...
But dont know enough of the AST API to figure out what you are trying/avoiding etc
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-03 21:12 +0000
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-05 13:46 +0000
Re: Untrusted code execution Rustom Mody <rustompmody@gmail.com> - 2016-04-05 07:17 -0700
Re: Untrusted code execution Ian Kelly <ian.g.kelly@gmail.com> - 2016-04-05 08:50 -0600
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-05 17:26 +0000
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-05 18:50 +0000
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-05 19:14 +0000
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-05 19:13 +0000
Re: Untrusted code execution Steven D'Aprano <steve@pearwood.info> - 2016-04-06 11:43 +1000
Re: Untrusted code execution Random832 <random832@fastmail.com> - 2016-04-06 09:14 -0400
Re: Untrusted code execution Steven D'Aprano <steve@pearwood.info> - 2016-04-07 11:45 +1000
Re: Untrusted code execution Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2016-04-07 14:48 +1000
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-07 15:18 +0000
Re: Untrusted code execution Steven D'Aprano <steve@pearwood.info> - 2016-04-08 15:28 +1000
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-07 12:13 +0000
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-07 14:25 +0000
Re: Untrusted code execution Steven D'Aprano <steve@pearwood.info> - 2016-04-08 15:26 +1000
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-07 17:20 +0000
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-07 17:35 +0000
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-10 17:06 +0000
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-05 17:40 +0000
Re: Untrusted code execution Paul Rubin <no.email@nospam.invalid> - 2016-04-05 13:39 -0700
Re: Untrusted code execution Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-04-05 21:13 +0000
Re: Untrusted code execution Paul Rubin <no.email@nospam.invalid> - 2016-04-07 00:08 -0700
Re: Untrusted code execution Lele Gaifax <lele@metapensiero.it> - 2016-04-08 10:10 +0200
csiph-web