guido> I can access the various class and metaclass objects
guido> easily [snip]
It would've been possible to replace __call__ on the metaclass --
which, though not a security leak by itself, could've been abused for
some fun.
I've inlined the __metaclass__ to prevent fun of this kind.
But t
Another potential avenue for attacks:
I can access the various class and metaclass objects easily:
>>> f = FileReader('/etc/passwd')
>>> f.__class__
>>> f.__class__.__metaclass__
>>> f.__class__.__metaclass__.__call__
>>> f.__class__.__metaclass__.__call__.im_func
>>> kall = f.__class__.__met
Guido van Rossum wrote:
> So how do you get destructors to run in that case? Or do you just not
> run them? Then open files may not be closed and may not even see their
> buffer flushed. I'm not happy about that.
Unfortantely I don't have an up-to-date understand of the issues
regarding modules a
victor> f.tell.__getattribute__('func_closure')
tak> But, have you actually run that code?
Ooops, I modified my local copy of safelite.py to disable func_xxx
protections :-p With the latest version of safelite.py, my exploit doesn't
work anymore. Sorry.
--
Victor Stinner aka haypo
http://www.
Le Tuesday 24 February 2009 01:31:55 Victor Stinner, vous avez écrit :
> (...)
> But how can we get the closure if b.func_closure doesn't exist? Oh, wait!
> What's this: b.__getattribute__...
> -
> secret = get_cell_value(b.__getattribute__('func_closure')[0])
>
Hey Victor,
You definitely got to the heart of the challenge.
> f.tell.__getattribute__('func_closure')
But, have you actually run that code?
Cos that doesn't work here... sorry if I missed something...
--
love, tav
plex:espians/tav | t...@espians.com | +44 (0) 7809 569 369
http://tav.espian
Hey all,
victor> Could you keep all versions of safelite.py?
I took Steven D'Aprano's advice and added a VERSION attribute and
state the latest version on
http://tav.espians.com/a-challenge-to-break-python-security.html
Is that okay?
antoine> I guess Tav should open a restaurant :-)
Hehe!!
Le Monday 23 February 2009 23:41:30, vous avez écrit :
> http://tav.espians.com/a-challenge-to-break-python-security.html
>
> Please blog/retweet and of course, try the challenge yourselves =)
The challenge can be seen as: is it possible to read "secret" in the following
code without using b.func
On Mon, Feb 23, 2009 at 4:06 PM, Victor Stinner
wrote:
> Le Tuesday 24 February 2009 00:51:25 Farshid Lashkari, vous avez écrit :
>> It seems like some code in safelite passes a file object to
>> isinstance. By overriding the builtin isinstance function I can get
>> access to the original file obj
tav wrote:
But that doesn't invalidate
the model or the possibility of using it in Python.
However, there's also the matter of whether it's
*practical* to use the model in Python.
The custom-string exploit illustrates that you have
to be extremely careful what you do with, and
what you assume
Le Tuesday 24 February 2009 00:22:19 tav, vous avez écrit :
> guido> >>> class S(str):
> guido> ... def __eq__(self, o): print o; return 'r' == o
> guido> [snip]
>
> Very devious -- @eichin and Guido!
mode = str(mode) is not enough to protect FileReader about evil object
faking "r" string
Le Tuesday 24 February 2009 00:51:25 Farshid Lashkari, vous avez écrit :
> It seems like some code in safelite passes a file object to
> isinstance. By overriding the builtin isinstance function I can get
> access to the original file object and create a new one.
Wow, excellent idea!
--
Victor S
Farshid Lashkari gmail.com> writes:
>
> It seems like some code in safelite passes a file object to
> isinstance. By overriding the builtin isinstance function I can get
> access to the original file object and create a new one. Here is the
> code I used:
I guess Tav should open a restaurant :-)
It seems like some code in safelite passes a file object to
isinstance. By overriding the builtin isinstance function I can get
access to the original file object and create a new one. Here is the
code I used:
from safelite import FileReader
_real_file = None
def _new_isinstance(obj,types):
On Mon, Feb 23, 2009 at 3:33 PM, Neil Schemenauer wrote:
> Guido van Rossum wrote:
>> No. Trust me. It is not always possible to strengthen the
>> implementation. (At least not until we get rid of the "replace all
>> globals with None upon module deletion" rule.)
>
> We should do that. Trying to
Guido van Rossum wrote:
> No. Trust me. It is not always possible to strengthen the
> implementation. (At least not until we get rid of the "replace all
> globals with None upon module deletion" rule.)
We should do that. Trying to do cleanup without globals sucks. I
updated Armin's patch that's
On Mon, Feb 23, 2009 at 3:16 PM, "Martin v. Löwis" wrote:
>> Don't I remember the previous restricted module dying a similar "death
>> of 1,000 cuts" before it was concluded to be unsafe at any height and
>> abandoned?
>
> I think you are slightly misremembering. It got cut again and again,
> but
guido> >>> class S(str):
guido> ... def __eq__(self, o): print o; return 'r' == o
guido> [snip]
Very devious -- @eichin and Guido!
You guys get the price for the cutest exploit yet -- but sadly no
dinner or drinks -- that was just for the first crack -- which goes to
Victor =)
steve> D
> Don't I remember the previous restricted module dying a similar "death
> of 1,000 cuts" before it was concluded to be unsafe at any height and
> abandoned?
I think you are slightly misremembering. It got cut again and again,
but never died. Then, new-style classes hit an artery, and it bled
to d
Sorry, it wasn't Ian Bicking. I have no idea what made me thing that.
I guess I am not yet an experienced Tweeter. :-( It was Mark Eichin,
CC'ed here.
--Guido
On Mon, Feb 23, 2009 at 2:51 PM, Guido van Rossum wrote:
> TWIW, on Twitter, Ian Bicking just came up with a half-solution. I
> figured o
Hey Martin,
>> The patch is a mere 6 lines of code and provides the absolute minimum
>> that is needed to secure the Python interpreter!
>
> Unlike Guido, I'm not quite willing to your word for it.
You are right. Sorry, I was a bit too enthusiastic and overstated the case.
How about: "it could p
Don't I remember the previous restricted module dying a similar "death
of 1,000 cuts" before it was concluded to be unsafe at any height and
abandoned?
regards
Steve
Guido van Rossum wrote:
> TWIW, on Twitter, Ian Bicking just came up with a half-solution. I
> figured out the other half. I guess
TWIW, on Twitter, Ian Bicking just came up with a half-solution. I
figured out the other half. I guess you own Ian drinks and me dinner.
:-)
$ python
Python 2.5.3a0 (release25-maint:64494, Jun 23 2008, 19:17:09)
[GCC 4.0.3 (Ubuntu 4.0.3-1ubuntu5)] on linux2
Type "help", "copyright", "credits" or "
> And, here's a version for Python 2.6+ -- diffed against an svn
> checkout of the current python/trunk:
>
> http://codereview.appspot.com/21051/show
>
> Please review also. Cheers!
No need to provide two versions. Regular back-merging should be
able to deal with that just fine.
Regards,
Mart
> Could one of you please review:
>
> http://codereview.appspot.com/20051
>
> The patch is a mere 6 lines of code and provides the absolute minimum
> that is needed to secure the Python interpreter!
Unlike Guido, I'm not quite willing to your word for it.
OTOH, the patch looks harmless (with
> I take it back, we need to find all the trivial ones too.
Agreed!
> BTW Tav, you ought to create a small website for this challenge. A
> blog post or wiki page would suffice.
Done.
http://tav.espians.com/a-challenge-to-break-python-security.html
Please blog/retweet and of course, try the cha
On Mon, Feb 23, 2009 at 13:23, Nick Coghlan wrote:
> Brett Cannon wrote:
> > Well, neither do I as your proposed approach below is what I do for
> > warnings.
>
> It's possible I actually had test_warnings.py open in another window
> while writing that example function... ;)
>
> As Steven said, y
Le Monday 23 February 2009 22:36:47, vous avez écrit :
> reload(__builtins__)
> (...)
>
> Tav should have made another stipulation: the attack must not be
> trivial to fix.
Why not? Any hole is enough to break a jail. The cracker doesn't care if it's
trivial to fix or not :-p
--
Victor Sti
On Mon, Feb 23, 2009 at 1:36 PM, Guido van Rossum wrote:
> On Mon, Feb 23, 2009 at 1:12 PM, Victor Stinner
> wrote:
>>> The challenge is simple:
>>>
>>> * Open a fresh Python interpreter
>>> * Do: >>> from safelite import FileReader
>>> * You can use FileReader to read files on your filesystem
>>
On Mon, Feb 23, 2009 at 1:12 PM, Victor Stinner
wrote:
>> The challenge is simple:
>>
>> * Open a fresh Python interpreter
>> * Do: >>> from safelite import FileReader
>> * You can use FileReader to read files on your filesystem
>> * Now find a way to *write* to the filesystem from your interprete
Woo!
victor> >>> file('0wn3d', 'w').write('w00t\n')
victor> Cool. It's a good reason to go to Pycon UK this yeak ;-)
Thank you so much Victor! Please mail/phone me when you are heading to
London and I shall honour the evening out!
Now, how about this adapted version without reload?
I could
Brett Cannon wrote:
> Well, neither do I as your proposed approach below is what I do for
> warnings.
It's possible I actually had test_warnings.py open in another window
while writing that example function... ;)
As Steven said, your concerns are precisely why I'm suggesting hiding
this in a help
> The challenge is simple:
>
> * Open a fresh Python interpreter
> * Do: >>> from safelite import FileReader
> * You can use FileReader to read files on your filesystem
> * Now find a way to *write* to the filesystem from your interpreter
Well, the challenge is to get access to a module. And... it
I sent a link out to Twitter...
On Mon, Feb 23, 2009 at 12:40 PM, Steven Bethard
wrote:
> On Mon, Feb 23, 2009 at 12:10 PM, tav wrote:
>> Hey all,
>>
>> As an attempt to convince everyone of the merits of my functions-based
>> approach to security, I've come up with a simple challenge. I've
>> a
On Mon, Feb 23, 2009 at 12:10 PM, tav wrote:
> Hey all,
>
> As an attempt to convince everyone of the merits of my functions-based
> approach to security, I've come up with a simple challenge. I've
> attached it as safelite.py
>
> The challenge is simple:
>
> * Open a fresh Python interpreter
> *
Hey Brett,
> Ah, OK. I just quickly looked at your patches on codereview and noticed that
> neither __closure__ or __globals__ have been touched.
Those are already restricted by Python when __builtins__ is not the
same as the standard one.
> I assume you are worried about getting a hold of the
On Mon, Feb 23, 2009 at 12:10, tav wrote:
> Hey all,
>
> As an attempt to convince everyone of the merits of my functions-based
> approach to security, I've come up with a simple challenge. I've
> attached it as safelite.py
>
> The challenge is simple:
>
> * Open a fresh Python interpreter
> * Do
Hey all,
As an attempt to convince everyone of the merits of my functions-based
approach to security, I've come up with a simple challenge. I've
attached it as safelite.py
The challenge is simple:
* Open a fresh Python interpreter
* Do: >>> from safelite import FileReader
* You can use FileReade
On Mon, Feb 23, 2009 at 04:02, Nick Coghlan wrote:
> For example, a version that allows any number of extension modules to be
> suppressed when importing a module (defaulting to the Foo/_Foo naming):
>
> import sys
> def import_python_only(mod_name, *ext_names):
>if not ext_names:
>e
On Mon, Feb 23, 2009 at 09:23, tav wrote:
> Dearest fellow Python lovers,
>
> Could one of you please review:
>
> http://codereview.appspot.com/20051
>
> The patch is a mere 6 lines of code and provides the absolute minimum
> that is needed to secure the Python interpreter! [This patch is for
>
On Mon, Feb 23, 2009 at 04:02, Nick Coghlan wrote:
> Brett Cannon wrote:
> > I don't want to move it because this isn't some idea for a new feature
> > that may or may not be useful; this isn't an "idea", it's needed.
>
> It is needed, but it's only really needed in the test suite. The
> "sys.mod
On Sun, Feb 22, 2009 at 22:41, Aahz wrote:
> On Sun, Feb 22, 2009, Brett Cannon wrote:
> > On Sat, Feb 21, 2009 at 20:12, Aahz wrote:
> >> On Sat, Feb 21, 2009, Brett Cannon wrote:
> >>> On Sat, Feb 21, 2009 at 15:46, Aahz wrote:
> On Sat, Feb 21, 2009, Brett Cannon wrote:
> >
> >
On Mon, Feb 23, 2009 at 6:43 PM, A.M. Kuchling wrote:
> On Mon, Feb 23, 2009 at 02:16:17PM +0100, Tarek Ziadé wrote:
>> I am trying to reach Greg Ward to get a maintainer access to Distutils
>> at PyPI, but his email address at python.net (and some other) doesn't
>> work anymore.
>
> Greg's websit
On Mon, Feb 23, 2009 at 02:16:17PM +0100, Tarek Ziadé wrote:
> I am trying to reach Greg Ward to get a maintainer access to Distutils
> at PyPI, but his email address at python.net (and some other) doesn't
> work anymore.
Greg's website at www.gerg.ca (not a typo!) has e-mail addresses.
However,
And, here's a version for Python 2.6+ -- diffed against an svn
checkout of the current python/trunk:
http://codereview.appspot.com/21051/show
Please review also. Cheers!
--
love, tav
plex:espians/tav | t...@espians.com | +44 (0) 7809 569 369
http://tav.espians.com | @tav | skype:tavespian
__
Dearest fellow Python lovers,
Could one of you please review:
http://codereview.appspot.com/20051
The patch is a mere 6 lines of code and provides the absolute minimum
that is needed to secure the Python interpreter! [This patch is for
Python 2.5.4 -- I can create one for the other branches to
None of those are useful attacks on app engine though.
On Mon, Feb 23, 2009 at 7:57 AM, Victor Stinner
wrote:
> Le Sunday 22 February 2009 17:45:27 Guido van Rossum, vous avez écrit :
>> I've received some enthusiastic emails from someone who wants to
>> revive restricted mode.
>> (...)
>> Based
Le Sunday 22 February 2009 17:45:27 Guido van Rossum, vous avez écrit :
> I've received some enthusiastic emails from someone who wants to
> revive restricted mode.
> (...)
> Based on his code (the file secure.py is all you need, included in
> secure.tar.gz) it seems he believes the only security
On Sun, Feb 22, 2009 at 8:14 PM, P.J. Eby wrote:
> At 07:56 PM 2/22/2009 -0800, Guido van Rossum wrote:
>>
>> On Sun, Feb 22, 2009 at 7:39 PM, P.J. Eby wrote:
>> > Just a question, but, if you just need a pure-python restricted
>> > environment
>> > for App Engine, why not just use the Restricted
_
Blijf altijd op de hoogte van wat jouw vrienden doen
http://home.live.com___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
Hello,
I am trying to reach Greg Ward to get a maintainer access to Distutils
at PyPI, but his email address at python.net (and some other) doesn't
work anymore.
Anyone knows how to reach him ?
Thanks
Tarek
--
Tarek Ziadé | Association AfPy | www.afpy.org
Blog FR | http://programmation-python.
Brett Cannon wrote:
> I don't want to move it because this isn't some idea for a new feature
> that may or may not be useful; this isn't an "idea", it's needed.
It is needed, but it's only really needed in the test suite. The
"sys.modules hackery" needed to get a Python-only version using the
exis
> I am trying to use python gdb to debug a python process that is hanginig
> - it is a thread lock situation.
Larry,
python-dev is a mailing list for the development of Python, not the
development with Python. So this question is off-topic.
> 1) Does anyone have any idea why this might be happen
Hi
I am trying to use python gdb to debug a python process that is hanginig - it
is a thread lock situation.
I have been trying to use the gdbinit macros to help me in this, but when I
attempt to access f->f_nlocals in a PyEval_EvalFrameEx object it informs There
is no member named f_nlocals.
54 matches
Mail list logo
