Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!news.mixmin.net!feeder1.xsusenet.com!newsfeed.xs4all.nl!newsfeed1a.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.001 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'heavily': 0.04; 'subject:Python': 0.05; 'motivated': 0.05; 'pypy': 0.07; 'received:openend.se': 0.09; 'received:theraft.openend.se': 0.09; 'cc:addr:python-list': 0.10; 'cc:addr:lac': 0.16; 'cc:addr:openend.se': 0.16; 'exploits': 0.16; 'from:addr:lac': 0.16; 'from:addr:openend.se': 0.16; 'from:name:laura creighton': 0.16; 'message-id:@fido.openend.se': 0.16; 'of"': 0.16; 'received:89.233': 0.16; 'received:89.233.217': 0.16; 'received:89.233.217.133': 0.16; 'received:fido': 0.16; 'received:fido.openend.se': 0.16; 'to:addr:pearwood.info': 0.16; "to:name:steven d'aprano": 0.16; 'laura': 0.18; 'cc:addr:python.org': 0.21; 'cc:2**1': 0.22; '2015': 0.23; 'wrote': 0.23; 'header:In-Reply-To:1': 0.24; 'received:se': 0.29; 'cc:no real name:2**1': 0.29; 'programmers': 0.31; "can't": 0.32; 'possibly': 0.32; 'really': 0.35; 'but': 0.36; 'being': 0.36; 'there': 0.36; 'subject:: ': 0.37; 'charset:us-ascii': 0.37; 'even': 0.61; 'tracking': 0.61; 'header:Message-Id:1': 0.62; 'more': 0.62; 'different': 0.64; 'due': 0.65; 'received:89': 0.80; '+1000,': 0.84; '>how': 0.84; 'hostile': 0.84 To: "Steven D'Aprano" cc: python-list@python.org, lac@openend.se From: Laura Creighton Subject: Re: Creating a reliable sandboxed Python environment In-Reply-To: Message from "Steven D'Aprano" of "Sun, 31 May 2015 09:52:29 +1000." <556a4d3f$0$12998$c3e8da3$5496439d@news.astraweb.com> References: <60b424a2-2273-42b2-b60c-92656af0afa5@googlegroups.com> <87h9qvxmh0.fsf@jester.gateway.sonic.net> <878uc6yhtq.fsf@jester.gateway.sonic.net> <874mmuy8ko.fsf@jester.gateway.sonic.net><55697c1f$0$13013$c3e8da3$5496439d@news.astraweb.com> <556a4d3f$0$12998$c3e8da3$5496439d@news.astraweb.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <13369.1433052893.1@fido> Date: Sun, 31 May 2015 08:14:53 +0200 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.3.9 (theraft.openend.se [89.233.217.130]); Sun, 31 May 2015 08:14:57 +0200 (CEST) X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.20+ Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 16 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1433052910 news.xs4all.nl 2924 [2001:888:2000:d::a6]:41933 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:91566 In a message of Sun, 31 May 2015 09:52:29 +1000, "Steven D'Aprano" writes: >How many PyPy sandboxes are being used with hostile users motivated to break >out of the sandbox? > >"I wrote a sandbox which I can't break out of" is different from "I wrote a >sandbox which nobody can break out of". Javascript is sandboxed, but due to >bugs in implementations, Javascript-based exploits are now heavily used by >malware. There are possibly even more Javascript-based exploits than buffer >overflow based exploits these days, as C programmers get better at using >automated tools that check for buffer overflows. I don't know, as we don't really have a way of tracking who is using PyPy for anything. We know we have some. Laura