Re: [Tutor] best way to dynamically set class variables?
An interesting discussion that is outside the scope of a group like this is
HOW malicious things can be done and perhaps how to avoid them.
Obviously some contexts are totally uncontrolled. If you write a
"calculator" that asks the user to type in an arbitrary string like
"2*(3+5)" or "sin(30)" and execute that string and show the result, then
they can slip in anything like a shell command to reformat the hard disk.
What can you do to minimize risks in such situations? Obviously you might
want to scan the string before executing and look for things like carriage
returns and semi-colons that might be used to add continuation commands
beyond what is asked for. You might limit the length of the string. You
might scan for keywords like def and lambda. But note that a cursory scan
like that has false positives as well as false negatives. You might
recognize something within a character string context that is harmless or
you might reject a valid SQL query because it used a word you disallow that
is actually a harmless name of a data column.
And, realistically, Python has so many ways to get around things that it
gets silly. Given some room and ingenuity, you can create code that
assembles individual characters and then executes them into a program so a
scan may not reveal anything.
Heck, if you can simply create a module on the disk somewhere, all you need
to do is insert enough code to IMPORT the file and you can do pretty much
anything. If asked to enter a calculator entry, for example, and you simply
say:
5+3;import mymodule
You then have an exec("5+3;import mymodule")
Some such things may generate an error but only after the side effect is
done.
Python code is often wide open, by design, so subtle messing with internals
is easy. As an example, you can change the search path for modules with an
assignment statement and then any subsequent call for importing a named
module gets the one you substituted.
So, yes, executing random code can be dangerous. But life is dangerous
-Original Message-
From: Tutor On Behalf Of
Alan Gauld via Tutor
Sent: Thursday, November 8, 2018 5:52 AM
To: tutor@python.org
Subject: Re: [Tutor] best way to dynamically set class variables?
On 08/11/2018 07:46, Peter Otten wrote:
> By the way I don't think exec() is bad as long as you control its
> input and as long as this input is fairly simple.
Yes, but reading arbitrary column names from a database is not exactly
controlled input...
--
Alan G
Author of the Learn to Program web site
http://www.alan-g.me.uk/
http://www.amazon.com/author/alan_gauld
Follow my photo-blog on Flickr at:
http://www.flickr.com/photos/alangauldphotos
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] best way to dynamically set class variables?
On 8 Nov 2018 17:34, Avi Gross wrote: > What can you do to minimize risks in such > situations? ast.literal_eval, with a smallish maximum string length? https://docs.python.org/3/library/ast.html. (That's exactly the only ast function that know! :-) ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
[Tutor] Require Python assistance
Dear May I know how to solve the cryptography with Python programming language as below - (1) Implement Elgamal Method(2) Implement Elliptic Curve Cryptography method(3) Implement Rabin Method(4) Implement RSA Method Find (a) Prime test (b) Inverse function Please help me by provide your advice and suggestion so that I can improve my computing skills (please see the attached file) Prayerfully Tron Orino Yeong tcynoteb...@yahoo.com 0916643858 ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] Require Python assistance
On Nov 9, 2018 12:34 PM, "TCY via Tutor" wrote: > > > > > Dear > May I know how to solve the cryptography with Python programming language as below - > (1) Implement Elgamal Method(2) Implement Elliptic Curve Cryptography method(3) Implement Rabin Method(4) Implement RSA Method > Find (a) Prime test (b) Inverse function This list does not send attachments. If the file is not large just send it as part of the email body. As you can see the text above came thru as 1 long line. I presume when you sent it it looked like 4 lines. If that is the case you need to send the email as plain text rather than some fancy formatted way. > Please help me by provide your advice Learn how to ask questions that are more precise and specific. "Solve the cryptography" doesn't tell me anything. The more clearly you state your objectives the easier it becomes for us to help you. Google is your friend here. For example try searching Google for "Elliptic Curve Cryptography python" and suggestion so that I can improve my computing skills (please see the attached file) Bob Gailer ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] Require Python assistance
On 11/9/18 11:59 AM, Bob Gailer wrote: > On Nov 9, 2018 12:34 PM, "TCY via Tutor" wrote: >> >> >> >> >> Dear >> May I know how to solve the cryptography with Python programming > language as below - >> (1) Implement Elgamal Method(2) Implement Elliptic Curve Cryptography > method(3) Implement Rabin Method(4) Implement RSA Method >> Find (a) Prime test (b) Inverse function > > This list does not send attachments. If the file is not large just send it > as part of the email body. > > As you can see the text above came thru as 1 long line. I presume when you > sent it it looked like 4 lines. If that is the case you need to send the > email as plain text rather than some fancy formatted way. > >> Please help me by provide your advice > > Learn how to ask questions that are more precise and specific. "Solve the > cryptography" doesn't tell me anything. The more clearly you state your > objectives the easier it becomes for us to help you. > > Google is your friend here. For example try searching Google for "Elliptic > Curve Cryptography python" > and suggestion so that I can improve my computing skills (please see the > attached file) There has been a *lot* of crypto work in Python. If your objective is to learn the techniques you might look at what others have done, if your objective is to use these techniques, there's a decent chance it has been already implemented. You could look, as a starting point (but by no means as the only resource), at the pycrypto package https://www.dlitz.net/software/pycrypto/ ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] best way to dynamically set class variables?
On Thu, Nov 08, 2018 at 11:34:35AM -0500, Avi Gross wrote:
> An interesting discussion that is outside the scope of a group like this is
> HOW malicious things can be done and perhaps how to avoid them.
>
> Obviously some contexts are totally uncontrolled. If you write a
> "calculator" that asks the user to type in an arbitrary string like
> "2*(3+5)" or "sin(30)" and execute that string and show the result, then
> they can slip in anything like a shell command to reformat the hard disk.
If they want to reformat their own hard disk, there are much easier ways
than slipping a shell command into a Python calculator.
The risk, tiny as it is, is that something which starts life as a
desktop application running on the user's own computer gets extracted
out into a library used in a web application running on somebody else's
server. So in that sense, it is better to avoid eval/exec even on
locally-run desktop applications.
But it is *critical* to avoid eval or exec on untrusted input running on
a server.
> What can you do to minimize risks in such situations?
(1) Don't use eval or exec.
(2) If you must use eval or exec, consider allowing only a whitelist of
allowed commands. You can do that by specifying the global and local
namespace arguments:
ns = {'round': round, 'sin': math.sin, '__builtins__': None}
eval(command, ns, ns)
You must set __builtins__ to something, if it is missing, the
interpreter will set it to the real builtins module and open the doors
wide open.
(3) Don't use eval or exec.
(4) But even with a whitelist, it is remarkably easy to break out of the
sandbox. Most(?) tricks for doing so involve using dunder (Double
UNDERscore) attributes, so a quick palliative for this is to disallow
any command that includes an underscore:
if '_' in command:
raise InvalidCommand('syntax error: no underscores allowed')
else:
eval(command, ns, ns)
(5) Its okay to use eval and exec for your own use, at the interactive
interpreter, or in quick scripts you use in a trusted environment.
(6) But even if you successfully block all the escape tricks, the user
can trivially DOS (Denial Of Service) your calculator web app:
command = '(2**1000)**(2**1000)**(2**1000)'
so you need to run it in an environment where evaluation will timeout
after a certain amount of time, without using up all the memory on your
server.
(7) For experts, its okay to use eval or exec. Maybe.
For a good use of exec, see the source code to namedtuple in the
collections module. Or this:
http://code.activestate.com/recipes/578918-yet-another-namedtuple/
--
Steve
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] Require Python assistance
As I see others have replied, the question is not easy to understand and seems so broad as to be overwhelming to actually do without further info. It would be easier if someone asked if we could direct him to resources that either explain the algorithms needed or to full-blown packages/modules they could easily incorporate. From the text shown, does it not seem like some kind of HW assignment perhaps to compare and contrast various methods? As usual, attachments cannot be seen. If someone is interested, you can ask, in situations like these, to be sent such things directly to your mail. Alternately, there are services out there that let you share files in the cloud for retrieval, sometimes even quite large files. Sending a link like that with your message might work, in moderation. The message indicates they want to improve their computing skills. That may suggest wanting to implement algorithms in basic Python from scratch, as compared to wanting packages that do it all for you. If I were asking for help, I have some things I would include that include spelling out what I need but also a synopsis of what I have done, such as go a search for: " python encryption package " or whatever. If it was an assignment in on page that might be worth mentioning. As I see it, not speaking for Alan, I see several kinds of useful purposes in tutoring. One is to help someone get started when they have no idea what resources to even look for. You may also want to ask questions to get them to spell out their need more clearly and perhaps figure out what to do. You then expect them to go away and do the work. If they come back, it should be with a more focused need and again, they should get advice and hints and maybe a brief example but not have the work done for them. If they have a bug, and have narrowed it down using print statements or debuggers or local help, and can reproduce it in a small example, maybe they can ask if others can detect some syntax error or logic error. I recently heard that Python 3.8 or so may add a new assignment operator (:=) so if they tried it and failed under existing versions, we might tell them to either not use it now or wait. This group is open and welcoming and should remain so. But it is reasonable to expect that answers and suggestions will not be given unless enough information is presented. I understand that attachments are not allowed for an assortment of reasons. The forum is hosted on python.org and space is limited. I could see creating a companion group such as pythontutorattachme...@groups.yahoo.com where you could send messages with attachments for those who wish to subscribe with the main interaction remaining here or one-on-one. Back to the case in point. Can I assume all the encryption methods have been implemented in anything from algorithm pseudocode to in some programming language (perhaps other than Python) in a form you can read the source code? If so, assuming multilingual abilities, the problem becomes one of translating it into Python. But, of course, if the need is to make it work in all reasonable versions of Python, good luck! But before we are asked, SEARCH for things. A few well placed keywords can locate so much. Part of learning to be a programmer is to do as much as you can by yourself. -Original Message- From: Tutor On Behalf Of TCY via Tutor Sent: Friday, November 9, 2018 8:13 AM To: tutor@python.org Subject: [Tutor] Require Python assistance Dear May I know how to solve the cryptography with Python programming language as below - (1) Implement Elgamal Method(2) Implement Elliptic Curve Cryptography method(3) Implement Rabin Method(4) Implement RSA Method Find (a) Prime test (b) Inverse function Please help me by provide your advice and suggestion so that I can improve my computing skills (please see the attached file) Prayerfully Tron Orino Yeong tcynoteb...@yahoo.com 0916643858 ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] best way to dynamically set class variables?
On 10 Nov 2018 01:03, Steven D'Aprano wrote:
On Thu, Nov 08, 2018 at 11:34:35AM -0500, Avi Gross wrote:
> An interesting discussion that is outside the scope of a group like this is
> HOW malicious things can be done and perhaps how to avoid them.
>
Isn't the rule, simply:
this_is_stupid = eval(input("please enter malicious code: "))
... and other uses range from 'code smell' to 'elegant' (where namedtuple is an
example of the latter)
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
