Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.lang.python > #60637

Re: '_[1]' in .co_names using builtin compile() in Python 2.6

References <6cdefe87-5703-4caf-91c0-b4a02674a1e5@googlegroups.com> <l75jhi$o7r$1@ger.gmane.org>
From Chris Kaynor <ckaynor@zindagigames.com>
Date 2013-11-27 12:44 -0800
Subject Re: '_[1]' in .co_names using builtin compile() in Python 2.6
Newsgroups comp.lang.python
Message-ID <mailman.3321.1385585077.18130.python-list@python.org> (permalink)

Show all headers | View raw


[Multipart message — attachments visible in raw view] - view raw

On Wed, Nov 27, 2013 at 12:09 PM, Ned Batchelder <ned@nedbatchelder.com>wrote:

> * Is there perhaps a better way to achieve what I'm trying to do?
>>
>> What I'm really after, is to check that python expressions embedded in
>> text files are:
>> - well behaved (no syntax errors etc)
>> - don't accidentally access anything it shouldn't
>> - I serve them with the values they need on execution
>>
>
> I hope you aren't trying to prevent malice this way: you cannot examine a
> piece of Python code to prove that it's safe to execute.  For an extreme
> example, see: Eval Really Is Dangerous: http://nedbatchelder.com/blog/
> 201206/eval_really_is_dangerous.html
>
> In your environment it looks like you have a whitelist of identifiers, so
> you're probably ok.


I just tested the crash example from that link in Python 2.7.5 win64 and
the co_names from the compiled code is empty. Therefore, a simple whitelist
would not catch that problematic code (and likely any other global access
done correctly). Even a simple test of making sure that at least one (or
any number of) valid identifier exists would be insufficent, as you can
merely tack on a ",a" to add "a" to the co_names, and thus for any other
variable.

Basically, even with a pure whitelist, there is likely no possible way to
make eval/exec safe, unless you also eliminate the ability to make literals.

Chris

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

'_[1]' in .co_names using builtin compile() in Python 2.6 "magnus.lycka@gmail.com" <magnus.lycka@gmail.com> - 2013-11-27 11:40 -0800
  Re: '_[1]' in .co_names using builtin compile() in Python 2.6 Ned Batchelder <ned@nedbatchelder.com> - 2013-11-27 15:09 -0500
    Re: '_[1]' in .co_names using builtin compile() in Python 2.6 "magnus.lycka@gmail.com" <magnus.lycka@gmail.com> - 2013-11-28 03:17 -0800
  Re: '_[1]' in .co_names using builtin compile() in Python 2.6 Ian Kelly <ian.g.kelly@gmail.com> - 2013-11-27 13:23 -0700
  Re: '_[1]' in .co_names using builtin compile() in Python 2.6 Chris Kaynor <ckaynor@zindagigames.com> - 2013-11-27 12:44 -0800
  Re: '_[1]' in .co_names using builtin compile() in Python 2.6 Ned Batchelder <ned@nedbatchelder.com> - 2013-11-27 16:26 -0500
  Re: '_[1]' in .co_names using builtin compile() in Python 2.6 Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-11-27 22:08 +0000

csiph-web