On Tue, Apr 5, 2016 at 8:17 AM, Rustom Mody <rustompm...@gmail.com> wrote:
> On Tuesday, April 5, 2016 at 7:19:39 PM UTC+5:30, Jon Ribbens wrote:
>> On 2016-04-03, Jon Ribbens wrote:
>> > I'd just like to say up front that this is more of a thought experiment
>> > than anything else, I don't have any plans to use this idea on any
>> > genuinely untrusted code. Apart from anything else, there's the
>> > denial-of-service issue.
>> >
>> > That said, is there any way that the following Python 3.4 code could
>> > result in a arbitrary code execution security hole?
>> >
>> > tree = compile(untrusted_code, "<script>", "eval", ast.PyCF_ONLY_AST)
>> > for node in ast.walk(tree):
>> > if (isinstance(node, ast.Name) and node.id.startswith("_") or
>> > isinstance(node, ast.Attribute) and node.attr.startswith("_")):
>> > raise ValueError("Access to private values is not
>> > allowed.")
>> > namespace = {"__builtins__": {"int": int, "str": str, "len": len}}
>> > print(eval(compile(tree, "<script>", "eval"), namespace))
>>
>> Nobody has any thoughts on this at all?
>
> i actually did...
>
> But dont know enough of the AST API to figure out what you are
> trying/avoiding etc
Same here, although it looks to me like this approach could work. Or
I'm just not clever enough to see how it could be exploited.
--
https://mail.python.org/mailman/listinfo/python-list
