On Aug 3, 10:04 pm, sturlamolden <sturlamol...@yahoo.no> wrote: > On 2 Aug, 15:50, Jizzai <jiz...@gmail.com> wrote: > > > Is a _pure_ python program buffer overflow proof? > > > For example in C++ you can declare a char[9] to hold user input. > > If the user inputs 10+ chars a buffer overflow occurs. > > Short answer: NO > > Bounds checking on sequence types is a protection against buffer > overflow, but is certainly not sufficient. > > The Python interpreter is written in C. Python extension modules are > written in C (or something similar). If you find an unprotected buffer > in this C code, you can possibly overflow this buffer. This can be > used for nasty things like corrupting the stack and injecting > malicious code. There is a reason why the Python sandbox (rexec and > Bastion modules) was disabled in Python 2.3. > > IronPython and Jython provides better protection against buffer > overflow than CPython, as these interpreters are written in safer > languages (C# and Java). You thus get an extra layer of protection > between the Python code and the unsafe C (used in JVM and .NET > runtimes).
Well, both Java and .NET both have their own FFI that let you do whatever you want (more or less). Michael Foord -- http://www.ironpythoninaction.com/ -- http://mail.python.org/mailman/listinfo/python-list
