[sage-support] Re: eval(string)

Thu, 10 Sep 2009 12:56:46 -0700 

On Sep 10, 2009, at 12:24 PM, Robert Bradshaw wrote:

>
> On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote:
>
>> `eval(the_string, globals = {"__builtins__":None}, locals = {})`
>> should do it. This removes access from all functions. Add any
>> functions that are needed by adding them to the "locals" dictionary.
>>
>> As stated in: http://stackoverflow.com/questions/661084/security-of-
>> pythons-eval-on-untrusted-strings
>> and http://lybniz2.sourceforge.net/safeeval.html
>
> Wow, this works, though for much deeper reasons than those given  
> above.
>
> sage: [].__class__.__subclasses__()[2].is_mutable.__func__.__globals__
> ['__builtins__']
> {'ArithmeticError': <type 'exceptions.ArithmeticError'>,
> ...
> 'zip': <built-in function zip>}
>
> sage: eval("[].__class__.__subclasses__()
> [2].is_mutable.__func__.__globals__['__builtins__']",
> {"__builtins__":None}, {})
> ------------------------------------------------------------
> Traceback (most recent call last):
>    File "<ipython console>", line 1, in <module>
>    File "<string>", line 1, in <module>
> RuntimeError: restricted attribute
>
> Even
>
> sage: eval("[].__class__.__subclasses__()[2]([]).save('foo.txt')",
> {"__builtins__": None}, {})
> ------------------------------------------------------------
> Traceback (most recent call last):
>    File "<ipython console>", line 1, in <module>
>    File "<string>", line 1, in <module>
>    File "sage_object.pyx", line 150, in
> sage.structure.sage_object.SageObject.save (sage/structure/
> sage_object.c:1894)
> IOError: file() constructor not accessible in restricted mode
>
> In short, if globals()['__builtins__'] != __builtins__ it runs in
> "Restricted mode" which disallows certain introspections and other
> operations. I don't know that it's bullet proof, but it looks pretty
> solid.

A little googling yielded

http://www.dalkescientific.com/writings/diary/archive/2008/03/03/ 
restricted_python.html

which is one (of who knows how many) holes in restricted mode.

- Robert


--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to 
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~----------~----~----~----~------~----~------~--~---

Reply via email to