Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #95571
| From | Mark Lawrence <breamoreboy@yahoo.co.uk> |
|---|---|
| Subject | Re: Sandboxing Python |
| Date | 2015-08-23 00:52 +0100 |
| References | <mrb0eh$2md$1@ger.gmane.org> <CAPTjJmrD3oBaHW64BNV6g9RM8LP7khdYUaXDjMXLeSb7dDe7Dg@mail.gmail.com> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.21.1440287583.17298.python-list@python.org> (permalink) |
On 23/08/2015 00:44, Chris Angelico wrote:
> On Sun, Aug 23, 2015 at 9:25 AM, Mark Lawrence <breamoreboy@yahoo.co.uk> wrote:
>> I was always led to believe that the subject was a difficult thing to do,
>> but here
>> https://www.reddit.com/r/learnpython/comments/3huz4x/how_to_do_math_inside_raw_input/
>> is a safe solution in only 23 characters, or are there any discernable flaws
>> in it?
>
>
> I'm sorry, I can't see which solution you're talking about there -
> maybe I just don't know how to read reddit properly. Can you paste the
> proposed code please?
>
> The best I can see there is "use eval but with no builtins". That's
> fundamentally flawed because you don't need builtins to break stuff.
> All you need is a literal, from which you can snag everything else via
> its attributes.
>
> However, for this situation, I would be recommending ast.literal_eval,
> which *is* safe. It's a lot more powerful than "split it into number,
> operator, number" as mentioned at the end, but still can't majorly
> break anything.
>
> ChrisA
>
<code>
>>> import os
>>> eval("os.system('rm -rf /')", {"__builtins__":None})
Traceback (most recent call last):
File "<pyshell#8>", line 1, in <module>
eval("os.system('rm -rf /')", {"__builtins__":None})
File "<string>", line 1, in <module>
TypeError: 'NoneType' object is not subscriptable
</code>
<comment>
Surely I must I have missed your meaning because I needed just 23
characters and zero extra lines to create a safe sandbox for this, but
you've said that the core developers have tried and failed to do this.
It appears that I didn't just wipe out my entire filesystem and you've
stated quite matter-of-factly that there is no safe solution... so what
happened here? Why didn't my filesystem just get wiped out?
</comment>
--
My fellow Pythonistas, ask not what our language can do for you, ask
what you can do for our language.
Mark Lawrence
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Sandboxing Python Mark Lawrence <breamoreboy@yahoo.co.uk> - 2015-08-23 00:52 +0100
csiph-web