On Jan 15, 4:06 pm, Steven D'Aprano <st...@remove-this-
cybersource.com.au> wrote:
Hi Steve!
> > class GetItemEvaluator(object):
> > def __init__(self):
> > self.globals = globals() # some dict (never changes)
Ya, this is just a boiled down sample, and for simplicity I set to to
the real globals(), so of course it will change when that changes...
but in the application this is a distinct dict, that is entirely
managed by the application, and it never changes as a result of an
*evaluation*.
> Would you like to put a small wager on that?
>
> >>> len(gie.globals)
> 64
> >>> something_new = 0
> >>> len(gie.globals)
>
> 65
> > self.globals["ts"] = self.ts
> > self.globals["join"] = "".join
> > self.locals = {} # changes on each evaluation
> > def __getitem__(self, expr):
> > return eval(expr, self.globals, self.locals)
>
> Can you say "Great Big Security Hole"?
With about the same difficulty as "Rabbit-Proof Fence" ;-)
Again, it is just a boiled down sample, for communication purposes. As
I mentioned in another thread, the real application behind all this is
one of the *few* secure templating systems around. Some info on its
security is at: http://evoque.gizmojo.org/usage/restricted/
Tell you what, if you find a security hole there (via exposed template
source on a Domain(restricted=True) setup) I'll offer you a nice
dinner (including the beer!) somewhere, maybe at some py conference,
but even remotely if that is not feasible... ;-) The upcoming 0.4
release will run on 2.4 thru to 3.0 -- you can have some fun with that
one (the current 0.3 runs on 2.5 and 2.6).
> --
> Steven
Cheers, mario
--
http://mail.python.org/mailman/listinfo/python-list
