Path: csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.000 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'syntax': 0.04; 'subject:Python': 0.06; 'expressions': 0.07; 'see:': 0.07; 'identifier': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'subject:using': 0.09; 'way:': 0.09; 'win64': 0.09; 'url:blog': 0.10; 'python': 0.11; '"a"': 0.16; 'after,': 0.16; 'ah,': 0.16; 'empty.': 0.16; 'identifiers,': 0.16; 'literals.': 0.16; 'merely': 0.16; 'of)': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'variable.': 0.16; 'prevent': 0.16; 'wrote:': 0.18; 'code.': 0.18; 'wed,': 0.18; 'trying': 0.19; 'example': 0.22; 'header:User-Agent:1': 0.23; "aren't": 0.24; 'exists': 0.24; 'received:comcast.net': 0.24; "shouldn't": 0.24; 'subject: .': 0.24; 'looks': 0.24; '(or': 0.24; 'environment': 0.24; 'compiled': 0.26; 'least': 0.26; 'values': 0.27; 'header:X -Complaints-To:1': 0.27; 'header:In-Reply-To:1': 0.27; 'chris': 0.29; 'thus': 0.29; 'errors': 0.30; "i'm": 0.30; 'code': 0.31; 'serve': 0.31; 'accidentally': 0.31; 'crash': 0.31; 'ok.': 0.31; 'piece': 0.31; 'probably': 0.32; 'text': 0.33; 'are:': 0.33; 'test': 0.35; 'add': 0.35; 'there': 0.35; 'really': 0.36; 'done': 0.36; 'possible': 0.36; 'example,': 0.37; 'nov': 0.38; 'to:addr :python-list': 0.38; 'files': 0.38; 'pm,': 0.38; 'anything': 0.39; 'ability': 0.39; 'subject:[': 0.39; 'embedded': 0.39; 'sure': 0.39; 'to:addr:python.org': 0.39; 'received:org': 0.40; 'even': 0.60; 'catch': 0.60; 'dangerous': 0.60; 'hope': 0.61; 'simple': 0.61; "you're": 0.61; 'back': 0.62; 'making': 0.63; 'therefore,': 0.64; 'safe': 0.72; 'batchelder': 0.84; 'whitelist': 0.84; 'examine': 0.93; '2013': 0.98 X-Injected-Via-Gmane: http://gmane.org/ To: python-list@python.org From: Ned Batchelder Subject: Re: '_[1]' in .co_names using builtin compile() in Python 2.6 Date: Wed, 27 Nov 2013 16:26:46 -0500 References: <6cdefe87-5703-4caf-91c0-b4a02674a1e5@googlegroups.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Gmane-NNTP-Posting-Host: c-50-133-228-126.hsd1.ma.comcast.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 In-Reply-To: X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 46 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1385587627 news.xs4all.nl 15937 [2001:888:2000:d::a6]:50446 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:60639 On 11/27/13 3:44 PM, Chris Kaynor wrote: > On Wed, Nov 27, 2013 at 12:09 PM, Ned Batchelder > wrote: > > * Is there perhaps a better way to achieve what I'm trying to do? > > What I'm really after, is to check that python expressions > embedded in text files are: > - well behaved (no syntax errors etc) > - don't accidentally access anything it shouldn't > - I serve them with the values they need on execution > > > I hope you aren't trying to prevent malice this way: you cannot > examine a piece of Python code to prove that it's safe to execute. > For an extreme example, see: Eval Really Is Dangerous: > http://nedbatchelder.com/blog/__201206/eval_really_is___dangerous.html > > > In your environment it looks like you have a whitelist of > identifiers, so you're probably ok. > > > I just tested the crash example from that link in Python 2.7.5 win64 and > the co_names from the compiled code is empty. Therefore, a simple > whitelist would not catch that problematic code (and likely any other > global access done correctly). Even a simple test of making sure that at > least one (or any number of) valid identifier exists would be > insufficent, as you can merely tack on a ",a" to add "a" to the > co_names, and thus for any other variable. Ah, right you are! I neglected to go back and examine the dangerous code. So eval really is dangerous! --Ned. > > Basically, even with a pure whitelist, there is likely no possible way > to make eval/exec safe, unless you also eliminate the ability to make > literals. > > Chris > >