In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says... > 42 wrote: > > I was planning on "sanitizing" the language instead of relying on rexec > > and bastion so issues with them shouldn't be relevant. > > I think in dealing with security, deciding what might be relevant before > you fully understand the problem is somewhat premature...
True enough, but I don't think in this case it applies. Its ok to rule as irrelevant the various security problems with various locking solutions for your front door when the proposed solution is to simply brick the door over, removing it entirely. > > I'm curious about the 'other' stuff that was alluded to, that could > > still occur in a python with all its __import__, import, exec, eval, and > > various reflection/metadata builtins prohibited (e.g. getattr)... > > Okay, but are you saying that combining those keywords with "security" > when searching comp.lang.python in Google Groups produced no useful > results? I couldn't say that. I will say that none of the links I clicked on revealed an attack that could bootsrap without the functions I proposed 'removing'. > When I do it, I generally get to threads where somebody rushes > in with suggestions about how to add security where the core Python > people fear to tread (so to speak), and after a short period of back and > forth where each idea is quickly shot down, the thread sort of dies out > as (I suspect) the OP realizes the problems are fundamental and probably > can't be fixed without changes to the Python core itself, or at least > can't be fixed *with confidence* without a thorough security audit which > so far nobody has valued enough to actually do. Difference being that all the threads I read are trying to 'put full python in sandbox' whereas I'd proposed literally hacking out chunks of the language. FWIW I've already given up on making python secure. I agree that odds are extremely high that I've missed something. I'm just curious to see what one of the holes I left is, preferably without wading through hundreds of pages :) -- http://mail.python.org/mailman/listinfo/python-list
