Thanks, Chris (and others), for the comprehensive answer (as usual). I
got interesting insights into Python's inner workings. Of course, when
everything is an object, everything has parents and other relatives, so
by traversing that tree in the right way one can make one's way all the
way to t
On 2020-01-21 3:14 PM, inhahe wrote:
I have written a simple parser/evaluator that is sufficient for my
simple requirements, and I thought I was safe.
Then I saw this comment in a recent post by Robin Becker of ReportLab -
"avoiding simple things like ' '*(10**200) seems quite difficult"
> I have written a simple parser/evaluator that is sufficient for my
> simple requirements, and I thought I was safe.
>
> Then I saw this comment in a recent post by Robin Becker of ReportLab -
>
> "avoiding simple things like ' '*(10**200) seems quite difficult"
>
> I realised that my method
On 21/01/20 6:57 pm, mus...@posteo.org wrote:
If I start with empty global and
local dicts, and an empty __builtins__, and I screen the input string
so it can't contain the string "import", is it still possible to have
"targeted" malicious attacks?
Yes.
Python 3.7.3 (default, Apr 8 2019, 22:2
On Tue, Jan 21, 2020 at 4:59 PM wrote:
>
> On Mon, 20 Jan 2020 06:43:41 +1100
> Chris Angelico wrote:
>
> > On Mon, Jan 20, 2020 at 4:43 AM wrote:
> > > It works, but is it safe?
> >
> > As such? No.
>
> That's what many people have said, and I believe them. But just from a
> point of technical
On Mon, 20 Jan 2020 06:43:41 +1100
Chris Angelico wrote:
> On Mon, Jan 20, 2020 at 4:43 AM wrote:
> > It works, but is it safe?
>
> As such? No.
That's what many people have said, and I believe them. But just from a
point of technical understanding: If I start with empty global and
local dic
On 2020-01-19 7:53 PM, Paul Moore wrote:
On Sun, 19 Jan 2020 at 17:45, wrote:
Is it actually possible to build a "sandbox" around eval, permitting it
only to do some arithmetic and use some math functions, but no
filesystem acces or module imports?
If you require safety, you really need to w
> On 19. Jan 2020, at 19:35, mus...@posteo.org wrote:
>
> Is it actually possible to build a "sandbox" around eval, permitting it
> only to do some arithmetic and use some math functions, but no
> filesystem acces or module imports?
>
> I have an application that loads calculation recipes (a f
On 2020-01-19, Jon Ribbens via Python-list wrote:
> On 2020-01-19, mus...@posteo.org wrote:
>> Is it actually possible to build a "sandbox" around eval [...]
>>
>> [...]
>>
>> It works, but is it safe?
>
> No, not even slightly. If you want to do this you need to write your
> own interpreter tha
On Mon, Jan 20, 2020 at 4:43 AM wrote:
>
> Is it actually possible to build a "sandbox" around eval, permitting it
> only to do some arithmetic and use some math functions, but no
> filesystem acces or module imports?
>
> I have an application that loads calculation recipes (a few lines of
> varia
On 2020-01-19, mus...@posteo.org wrote:
> Is it actually possible to build a "sandbox" around eval, permitting it
> only to do some arithmetic and use some math functions, but no
> filesystem acces or module imports?
>
> I have an application that loads calculation recipes (a few lines of
> variab
On 2020-01-19 17:35, mus...@posteo.org wrote:
Is it actually possible to build a "sandbox" around eval, permitting it
only to do some arithmetic and use some math functions, but no
filesystem acces or module imports?
I have an application that loads calculation recipes (a few lines of
variable a
On Sun, 19 Jan 2020 at 17:45, wrote:
>
> Is it actually possible to build a "sandbox" around eval, permitting it
> only to do some arithmetic and use some math functions, but no
> filesystem acces or module imports?
No. This has been tried before, and it simply isn't safe in the face
of malicious
13 matches
Mail list logo
