On Jan 17, 12:04 am, ajaksu <aja...@gmail.com> wrote: > On Jan 16, 3:45 pm, mario ruggier <mario.rugg...@gmail.com> wrote: > > > > '(x for x in ()).throw("bork")' > > > What is the potential security risk with this one? > > I don't see a concrete issue, just found it tempting... raising hand- > crafted objects :)
OK, I can think of no good reson why anyone would want to do that from within a temlate, so I'd be fine with blocking out any attribute whose name starts with "throw" to block this out. > > All the above attempts will be blocked this way. Any other disallow- > > sub-strings to add to the list above? > > None that I know of, but I suggest testing with dir, globals, locals > and '__' enabled (which I haven't done yet), as spotting possible > flaws should be easier. If you can get BOM+encoded garbage tested > (seehttp://tinyurl.com/72d98y), it might be worth it too. The BOM stuff is interesting... from that discussion, I think it would be also a good idea to blacklist "object" out of the restricted builtins. I played with this, and prepared a file template as well as a little script to run it... see below. To tweak any disallwoed builtins back into the restricted namespace for testing, you can just do something like: d.set_on_globals("dir", dir) for each name you'd like to add, when setting up the domain (see script below). To re-enable "__" lookups, you'd need to tweak the regexp above, in the RestrictedEvaluator class. > This one fails in lots of interesting ways when you juggle keyword- > args around: > exprs = [ > 'evoque("hmm", filters=[unicode.upper ] ,src="/etc/python2.5/ > site.py")', > ] Not sure what you mean... it just renders that source code file uppercased (if it finds it as per the domain setup) ?!? Here's (a) a mini testing py2-py3 script, similar to previous one above but to read a template from a file (there may be additional tricks possible that way), and (b) a sample companion test template. evoque_restricted_file_test.py ---- # in lieu of print, py2/py3 import sys def pr(*args): sys.stdout.write(" ".join([str(arg) for arg in args])+'\n') # from os.path import abspath, join, dirname from evoque import domain, template # set the base for for the defualt collection DEFAULT_DIR = abspath((dirname(__file__))) # a restricted domain instance d = domain.Domain(DEFAULT_DIR, restricted=True, errors=3, quoting='str') # errors: 3 -> renders, 4 -> raises any evaluation errors, # see: http://evoque.gizmojo.org/usage/errors/ # Tweak domain.globals to add specific callables for testing: d.set_on_globals("dir", dir) d.set_on_globals("gobals", globals) d.set_on_globals("locals", locals) pr("domain", d.default_collection.dir, d.restricted and "RESTRICTED" or "*** unrestricted ***") t = d.get_template(restricted_exprs.txt) pr(t.evoque()) ---- restricted_exprs.txt ---- #[ BOM + encoded trickery Note: when evaluated in python interpreter: >>> eval("# coding: utf7\n +AG8AYgBqAGUAYwB0AC4AXwBfAHMAdQBiAGMAbABhAHMAcwBlAHMAXwBf-") <built-in method __subclasses__ of type object at 0x1f1860> but when specified within a template here as: ${# coding: utf7\n +AG8AYgBqAGUAYwB0AC4AXwBfAHMAdQBiAGMAbABhAHMAcwBlAHMAXwBf-} gives **pre-evaluation**: SyntaxError: unknown encoding: utf7 ]# ${"# coding: utf7\n +AG8AYgBqAGUAYwB0AC4AXwBfAHMAdQBiAGMAbABhAHMAcwBlAHMAXwBf-"}, #[ Attempt to subversively build string expressions ]# Explicitly written target expression: ().__class__.mro() [1].__subclasses__() evaluates: ${().__class__.mro()[1].__subclasses__()} Subversive variation: "()."+"_"*2+"class"+"_"*2+".mro() [1]."+"_"*2+"subclasses"+"_"*2+"()" evaluates (to just the str!): ${"()."+"_"*2+"class"+"_"*2+".mro() [1]."+"_"*2+"subclasses"+"_"*2+"()"} Attempt to "set" same subsersively built expr to a loop variable and then "evaluate" that variable: $for{ expr in [ str("()."+"_"*2+"class"+"_"*2+".mro() [1]."+"_"*2+"subclasses"+"_"*2+"()") ] } evaluates (to just the str!): ${expr} attempt eval(...): ${eval(expr)} $rof (Note: evoque does not explicitly allow arbitrary setting of variables, except within for loops.) ---- mario -- http://mail.python.org/mailman/listinfo/python-list