Re: Cython, really secure?
+1 to Sam who really hit the nail on the head and eloquently said about what I was thinking. I might have a bit more to add at some point, but the one thing here is in reference to monkeypatching and the dir function.
Monkeypatching can be great at times, no doubt about that. But it most certainly comes at a price, with it's due risks and limitations. What I say here can be applied in many different cases, using dir since it's a good example though.
Disassembly. I manage to import your module so yay for that I guess.
>> dir()
[]
Uhh, that's strange. Dir should never be doing such a thing.
Let's just have a quick look see. Want dir back?
>>> dir = lambda : []
>>> dir
[]
#thanks stackoverflow.
>>> dir = [t for t in ().__class__.__base__.__subclasses__() if t.__name__ == 'Sized'][0].__len__.__globals__['__builtins__']["dir"]
Now call dir.
Additionally, another downside lies in the inescapable possibility where dir can most certainly be used in code. Ugly code, but code nevertheless. In many cases, that 364KB module you're including for usability could have a nasty block of code looking something like:
[i for i in dir() if not i.startswith("_") and blablabla]
I've regrettably written such code before, just because it was real easy at the time. Case and point, whenever modifying anything like that, monkeypatching, you've gotta be careful and really think it through. Especially in the standard library!
You could always perform slight modifications to the shipped interpreter. Not major to the point of functionality degradation down the rode, but variables and/or attributes in places they don't need to be. As long as you remain inconspicuous and original, you're giving any potential attacker a serious run for his money.
-- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
