Jp Calderone wrote:
> Probably not. For example:
>
> >>> (1).__class__.__bases__[0].__subclasses__()[-1]('/dev/null')
> <open file '/dev/null', mode 'r' at 0xb7df53c8>
However:
py> eval("(1).__class__.__bases__[0]"
... ".__subclasses__()[16]('/dev/null')",
... dict(__builtins__={}))
Traceback (most recent call last):
File "<interactive input>", line 3, in ?
File "<string>", line 0, in ?
IOError: file() constructor not accessible in restricted mode
Also worth noting that you can't get the builtins through a function's
globals either:
py> eval("(1).__class__.__bases__[0]"
... ".__subclasses__()[17].substitute.func_globals",
... dict(__builtins__={}))
Traceback (most recent call last):
File "<interactive input>", line 3, in ?
File "<string>", line 0, in ?
RuntimeError: restricted attribute
I've read some of the older posts, which suggested that you could
restore __builtins__ using a global declaration and a delete, but I
can't reproduce that bug in current Python.
Note that even if you supply the file object as part of your
__builtins__, the constructor is still not accessible in restricted mode:
py> eval("file('/dev/null')", dict(__builtins__=dict(file=file)))
Traceback (most recent call last):
File "<interactive input>", line 1, in ?
File "<string>", line 0, in ?
IOError: file() constructor not accessible in restricted mode
I believe the official stance is something like: "Well restricted mode
probably works in a lot of cases, but we're not confident enough in it
(having found bugs in it over and over) that we'd suggest it for
production use."
STeVe
--
http://mail.python.org/mailman/listinfo/python-list
