Steven Bethard wrote:
Yeah, I was concerned about the same thing, but I realized that I can't
actually access any of the func_globals attributes:
py> eval('(1).__class__.mro()[-1].__subclasses__()[17]'
... '.substitute.func_globals', dict(__builtins__=None))
Traceback (most recent call last):
File "<interactive input>", line 2, in ?
File "<string>", line 0, in ?
RuntimeError: restricted attribute
AFAIK, you need to get to func_globals to do anything really
interesting. (You can get file through object, but you can't get
__import__ AFAIK. So you can read and write files which means you can
create a DOS attack, but I don't know how to do the eqivalent of, say,
'rm -rf /'.)
Hmm... I also can't access the file constructor:
py> eval("(1).__class__.mro()[-1].__subclasses__()[16]"
... "('temp.txt', 'w').write('')", dict(__builtins__=None))
Traceback (most recent call last):
File "<interactive input>", line 2, in ?
File "<string>", line 0, in ?
IOError: file() constructor not accessible in restricted mode
STeVe
--
http://mail.python.org/mailman/listinfo/python-list
