On Wed, Apr 6, 2016 at 3:26 AM, Jon Ribbens <jon+use...@unequivocal.co.uk> wrote: > The received wisdom is that restricted code execution in Python is > an insolubly hard problem, but it looks a bit like my 7-line example > above disproves this theory, provided you choose carefully what you > provide in your restricted __builtins__ - but people who knows more > than me about Python seem to have thought about this problem for > longer than I have and come up with the opposite conclusion so I'm > curious what I'm missing.
No, it doesn't disprove anything. All you've shown is "here's a piece of code that hasn't yet been compromised". :) What you're missing is a demonstrated exploit against your code. I can't provide one, but it's entirely possible that one will be found. Your code is a *lot* safer for using 'eval' rather than 'exec'. Otherwise, you'd be easily exploited using exceptions, which carry a ton of info. But even so, I would not bet money (much less the security of my systems) on this being safe. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
