On Fri, 8 Apr 2016 12:25 am, Jon Ribbens wrote: > On 2016-04-07, Chris Angelico <ros...@gmail.com> wrote: >> Options 1 and 2 are nastily restricted. Option 3 is likely broken, as >> exception objects carry tracebacks and such. > > Everything you're saying here is assuming that we must not let the > attacker see any exception objects, but I don't understand why you're > assuming that. As far as I can see, the information that exceptions > hold that we need to prevent access to is all in "__" attributes that > we're already blocking.
You might be right, but you're putting a lot of trust in one security mechanism. If an attacker finds a way around that, you're screwed. "Defence in depth" and "default deny" is, in my opinion, better: prevent the untrusted user from seeing everything except those things which are proven to be safe. -- Steven -- https://mail.python.org/mailman/listinfo/python-list
