On Jan 16, 2:30 am, ajaksu <aja...@gmail.com> wrote:
> On Jan 15, 8:21 pm, mario ruggier <mario.rugg...@gmail.com> wrote:
>
> > OK! Here's a small script to make it easier...
>
> Thanks! I think I found a quick way around the restrictions (correct
> me if I borked it), but I think you can block this example by
> resetting your globals/builtins:
>
> exprs = [
> '(x for x in range(1)).gi_frame.f_globals.clear()',
> 'open("where_is_ma_beer.txt", "w").write("Thanks for the fun ")'
> ]
Cool, the beer that is ;) Under 2.6... why does python allow the
f_globals lookup in this case, but for the previous example for
func_globals it does not?
If you look at the top of the file test/test_restricted.py, there is:
# Attempt at accessing these attrs under restricted execution on an
object
# that has them should raise a RuntimeError
RESTRICTED_ATTRS = [
'im_class', 'im_func', 'im_self', 'func_code', 'func_defaults',
'func_globals', #'func_name',
#'tb_frame', 'tb_next',
#'f_back', 'f_builtins', 'f_code', 'f_exc_traceback',
'f_exc_type',
#'f_exc_value', 'f_globals', 'f_locals'
]
I have not yet finished working this list off to ensure that any
lookup of these attrs wherever they occur will be refused, but I guess
that would block this kind of lookup out. I should also block any
attempt to access any "gi_*" attribute... Laboriously doing all these
checks on each expr eval will be very performance heavy, so I hope to
be able to limit access to all these more efficiently. Suggestions?
Cheers, Mario
> Regards,
> Daniel
--
http://mail.python.org/mailman/listinfo/python-list
