Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <lars@rational-it.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.004
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'things.': 0.05; 'bits': 0.07; 'framework.': 0.07; 'python': 0.09; 'ast': 0.09; 'subject:()': 0.09; 'system?': 0.09; 'to:addr:comp.lang.python': 0.09; 'warn': 0.09; 'cc:addr:python-list': 0.10; ';-)': 0.11; '(like': 0.15; '"embedded': 0.16; '(must': 0.16; 'anyway).': 0.16; 'chris,': 0.16; 'eliminating': 0.16; 'err,': 0.16; 'oct': 0.16; 'operator).': 0.16; 'programmers.': 0.16; 'screening': 0.16; 'wrote:': 0.17; 'basically': 0.17; "shouldn't": 0.17; 'thanks,': 0.18; 'code,': 0.18; 'module': 0.19; 'code.': 0.20; 'import': 0.21; 'interpret': 0.22; 'cc:2**0': 0.23; 'cc:no real name:2**0': 0.24; 'allows': 0.25; 'cc:addr:python.org': 0.25; 'header:In- Reply-To:1': 0.25; 'header:User-Agent:1': 0.26; 'leave': 0.26; 'am,': 0.27; 'prevent': 0.27; 'question': 0.27; 'designer': 0.27; 'in.': 0.27; "doesn't": 0.28; 'all.': 0.28; 'chris': 0.28; 'decide': 0.28; 'noticed': 0.28; 'run': 0.28; 'dictionary': 0.29; 'though.': 0.29; 'no,': 0.29; 'objects': 0.29; 'van': 0.29; 'probably': 0.29; "i'm": 0.29; 'that.': 0.30; 'fri,': 0.30; 'thursday,': 0.30; 'code': 0.31; '(and': 0.32; 'getting': 0.33; 'done,': 0.33; 'oracle': 0.33; 'point,': 0.33; 'requirement.': 0.33; 'handle': 0.33; 'another': 0.33; 'received:google.com': 0.34; 'thanks': 0.34; 'server': 0.35; 'ahead': 0.35; 'so,': 0.35; 'sometimes': 0.35; 'received:209.85': 0.35; 'there': 0.35; 'add': 0.36; 'but': 0.36; 'actions': 0.36; 'level.': 0.36; 'modules': 0.36; 'should': 0.36; 'execute': 0.37; 'october': 0.37; 'does': 0.37; 'option': 0.37; 'uses': 0.37; 'received:209': 0.37; 'subject:: ': 0.38; 'easier': 0.38; 'some': 0.38; 'things': 0.38; 'instead': 0.39; 'build': 0.39; 'little': 0.39; 'help': 0.40; 'think': 0.40; 'your': 0.60; 'most': 0.61; 'high': 0.61; 'real': 0.61; 'customer': 0.61; 'life,': 0.62; 'close': 0.63; 'skip:n 10': 0.63; 'more': 0.63; 'within': 0.64; 'secure.': 0.65; 'account': 0.67; 'designers': 0.75; 'informed': 0.75; 'brand': 0.78; 'bulk': 0.78; 'alice.': 0.84; 'backdoor': 0.84; 'flexible,': 0.84; 'hopeless': 0.84; 'pike': 0.84
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=path:newsgroups:date:in-reply-to:complaints-to:injection-info :nntp-posting-host:references:user-agent:x-google-web-client :x-google-ip:mime-version:message-id:subject:from:to:cc:content-type :content-transfer-encoding:x-gm-message-state; bh=vHClJCZYycrTz90Os69joDMtJkN7Feq2nuNaHDkLP1s=; b=dZTvrffZt+WBUZPyW92X34I1oB7TgaXDyJ4NhBkKoX6Ex+gPJkg03SUeCuzFrflYj5 lwIF0pSbpyzU7ajyRnsFkSK7oqTqEZrVW2VrG8uTc62ok3g4v0hT9Fd9KghpVgMH1/ni hdU+VDUTnFt1YuTfkM6w80EBxogvgw/N7rIPZISRRZ76ek1NO4kQ9Poxl/cM90NK4r+O WrL4Q8Ar/qt6wNAyZon0l6DPmome65qPrycgRiR8nyTn5mjpJWqygYUWt4kO8YE5gNzm OE2bwhdStrx6eYpgjqj7vFTvi5gWm5qr2pKKMCJECLmEJm51WiU/uwexKyF3HeTqTjww bU/Q==
Newsgroups: comp.lang.python
Date: Thu, 18 Oct 2012 08:00:03 -0700 (PDT)
In-Reply-To: <mailman.2438.1350570579.27098.python-list@python.org>
Complaints-To: groups-abuse@google.com
Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=94.209.206.24; posting-account=gpkyRAoAAABlPh1mY6Zt264UpMjIbxAz
References: <2f12fa83-54cc-4fc2-85e4-b8aebebf4242@googlegroups.com> <mailman.2425.1350560975.27098.python-list@python.org> <05702a47-ff6b-4589-8352-d21b1921e77e@googlegroups.com> <mailman.2438.1350570579.27098.python-list@python.org>
User-Agent: G2/1.0
X-Google-Web-Client: true
X-Google-IP: 94.209.206.24
MIME-Version: 1.0
Subject: Re: use of exec()
From: lars van gemerden <lars@rational-it.com>
To: comp.lang.python@googlegroups.com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkiVl40MHFLgREz99EgryXB4tewFpqEhGePgv5LnbFBmOUWpO+M2FZQWAZEbsVt7sOXirqx
Cc: python-list@python.org
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Message-ID: <mailman.2442.1350572411.27098.python-list@python.org>
Lines: 84
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1350572411 news.xs4all.nl 6896 [2001:888:2000:d::a6]:47942
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:31648

On Thursday, October 18, 2012 4:29:45 PM UTC+2, Chris Angelico wrote:
> On Fri, Oct 19, 2012 at 1:07 AM, lars van gemerden <lars@rational-it.com>=
 wrote:
>=20
> > Thanks, Chris,
>=20
> >
>=20
> > That works like a charm (after replacig "return ns.function" with "retu=
rn ns['function']" ;-) ).
>=20
>=20
>=20
> Err, yes, I forget sometimes that Python doesn't do that. JavaScript
>=20
> and Pike both let you (though Pike uses -> instead of . for that
>=20
> operator). Yes, Python has real methods on dictionary objects :)
>=20
>=20
>=20
> > About the security, i noticed you can still import and use modules with=
in the exec'ed code. Is there a way to prevent this or otherwise make this =
approach more secure.
>=20
>=20
>=20
> Basically no, there's no real way to make it secure. Without
>=20
> eliminating exec/eval, destroying insecurity is the hopeless work of a
>=20
> wasted life, as the oracle said to Alice.
>=20
>=20
>=20
> > I should say that the users that will be able to make custom functions,=
 are not end-users, but authenticated designers, however i would like to cl=
ose a backdoor to the whole framework.
>=20
>=20
>=20
> You have to decide one thing: Will you permit them to execute
>=20
> untrusted code on your system? If so, go ahead (and just warn them
>=20
> that things like import shouldn't be done, as they can cause other
>=20
> messes). I run a server that I build with the help of another guy (I
>=20
> do the code, he does the bulk of the content - descriptions and
>=20
> stuff), and I'm happy to trust him to not be malicious, so the purpose
>=20
> of "embedded code in loci" is to make it easier to write tiny bits of
>=20
> code, without any security requirement. But if you need security,
>=20
> don't use eval. AT ALL.
>=20
>=20
>=20
> There may be a brand new service coming along, though. The ast module
>=20
> I think is getting a new evaluator that allows a little more
>=20
> functionality than literal_eval, while still not permitting most
>=20
> things. But you then have the question of performance, since you
>=20
> effectively interpret the code at a high level.
>=20
>=20
>=20
> ChrisA

I get your point, since in this case having the custom code option makes th=
e system a whole lot less complex and flexible, i will leave the option in.=
 The future customer will be informed that they should handle the security =
around the designers as if they were programmers. Aditionally i will probab=
ly add some screening for unwanted keywords (like 'import') and securely lo=
g any new/changed custom code including the designer account (must do that =
for other actions anyway).

Thanks again, Lars