I'd just like to say up front that this is more of a thought experiment
than anything else, I don't have any plans to use this idea on any
genuinely untrusted code. Apart from anything else, there's the
denial-of-service issue.
That said, is there any way that the following Python 3.4 code could
result in a arbitrary code execution security hole?
tree = compile(untrusted_code, "<script>", "eval", ast.PyCF_ONLY_AST)
for node in ast.walk(tree):
if (isinstance(node, ast.Name) and node.id.startswith("_") or
isinstance(node, ast.Attribute) and node.attr.startswith("_")):
raise ValueError("Access to private values is not allowed.")
namespace = {"__builtins__": {"int": int, "str": str, "len": len}}
print(eval(compile(tree, "<script>", "eval"), namespace))
--
https://mail.python.org/mailman/listinfo/python-list
