Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #95571
| Path | csiph.com!news.mixmin.net!feeder1.xsusenet.com!newsfeed.xs4all.nl!newsfeed7.news.xs4all.nl!news.tele.dk!news.tele.dk!small.news.tele.dk!newsgate.cistron.nl!newsgate.news.xs4all.nl!nzpost1.xs4all.net!not-for-mail |
|---|---|
| Return-Path | <python-python-list@m.gmane.org> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.001 |
| X-Spam-Evidence | '*H*': 1.00; '*S*': 0.00; 'subject:Python': 0.05; 'from:addr:yahoo.co.uk': 0.05; 'properly.': 0.07; '*is*': 0.09; '-rf': 0.09; 'builtins': 0.09; 'operator,': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'typeerror:': 0.09; 'do,': 0.15; '"use': 0.16; '23,': 0.16; 'attributes.': 0.16; 'eval': 0.16; 'literal,': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'stuff.': 0.16; 'wrote:': 0.16; 'skip:{ 20': 0.18; 'language': 0.19; '>>>': 0.20; '2015': 0.20; 'aug': 0.20; 'proposed': 0.20; '"",': 0.22; 'lawrence': 0.22; 'please?': 0.22; 'sorry,': 0.22; 'am,': 0.23; 'import': 0.24; '(most': 0.24; 'header:In-Reply-To:1': 0.24; 'header:User- Agent:1': 0.26; 'header:X-Complaints-To:1': 0.26; 'chris': 0.26; 'end,': 0.29; "i'm": 0.30; 'code': 0.30; "can't": 0.32; 'language.': 0.32; 'maybe': 0.33; 'traceback': 0.33; 'file': 0.34; 'but': 0.36; 'there': 0.36; 'to:addr:python-list': 0.36; 'subject:: ': 0.37; 'received:org': 0.37; 'to:addr:python.org': 0.40; 'mark': 0.40; 'still': 0.40; 'charset:windows-1252': 0.62; 'more': 0.63; 'safe': 0.63; 'our': 0.64; 'believe': 0.66; 'here': 0.66; 'talking': 0.67; 'url:r': 0.67; 'subject': 0.70; 'led': 0.72; 'chrisa': 0.84; 'pythonistas,': 0.84; 'safe.': 0.93; 'url:comments': 0.93 |
| X-Injected-Via-Gmane | http://gmane.org/ |
| To | python-list@python.org |
| From | Mark Lawrence <breamoreboy@yahoo.co.uk> |
| Subject | Re: Sandboxing Python |
| Date | Sun, 23 Aug 2015 00:52:45 +0100 |
| References | <mrb0eh$2md$1@ger.gmane.org> <CAPTjJmrD3oBaHW64BNV6g9RM8LP7khdYUaXDjMXLeSb7dDe7Dg@mail.gmail.com> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=windows-1252; format=flowed |
| Content-Transfer-Encoding | 7bit |
| X-Gmane-NNTP-Posting-Host | host-92-24-212-5.ppp.as43234.net |
| User-Agent | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 |
| In-Reply-To | <CAPTjJmrD3oBaHW64BNV6g9RM8LP7khdYUaXDjMXLeSb7dDe7Dg@mail.gmail.com> |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.20+ |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.21.1440287583.17298.python-list@python.org> (permalink) |
| Lines | 51 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1440287583 news.xs4all.nl 23764 [2001:888:2000:d::a6]:38511 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:95571 |
Show key headers only | View raw
On 23/08/2015 00:44, Chris Angelico wrote:
> On Sun, Aug 23, 2015 at 9:25 AM, Mark Lawrence <breamoreboy@yahoo.co.uk> wrote:
>> I was always led to believe that the subject was a difficult thing to do,
>> but here
>> https://www.reddit.com/r/learnpython/comments/3huz4x/how_to_do_math_inside_raw_input/
>> is a safe solution in only 23 characters, or are there any discernable flaws
>> in it?
>
>
> I'm sorry, I can't see which solution you're talking about there -
> maybe I just don't know how to read reddit properly. Can you paste the
> proposed code please?
>
> The best I can see there is "use eval but with no builtins". That's
> fundamentally flawed because you don't need builtins to break stuff.
> All you need is a literal, from which you can snag everything else via
> its attributes.
>
> However, for this situation, I would be recommending ast.literal_eval,
> which *is* safe. It's a lot more powerful than "split it into number,
> operator, number" as mentioned at the end, but still can't majorly
> break anything.
>
> ChrisA
>
<code>
>>> import os
>>> eval("os.system('rm -rf /')", {"__builtins__":None})
Traceback (most recent call last):
File "<pyshell#8>", line 1, in <module>
eval("os.system('rm -rf /')", {"__builtins__":None})
File "<string>", line 1, in <module>
TypeError: 'NoneType' object is not subscriptable
</code>
<comment>
Surely I must I have missed your meaning because I needed just 23
characters and zero extra lines to create a safe sandbox for this, but
you've said that the core developers have tried and failed to do this.
It appears that I didn't just wipe out my entire filesystem and you've
stated quite matter-of-factly that there is no safe solution... so what
happened here? Why didn't my filesystem just get wiped out?
</comment>
--
My fellow Pythonistas, ask not what our language can do for you, ask
what you can do for our language.
Mark Lawrence
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Sandboxing Python Mark Lawrence <breamoreboy@yahoo.co.uk> - 2015-08-23 00:52 +0100
csiph-web