On 21/01/20 6:57 pm, mus...@posteo.org wrote:
If I start with empty global and
local dicts, and an empty __builtins__, and I screen the input string
so it can't contain the string "import", is it still possible to have
"targeted" malicious attacks?
Yes.
Python 3.7.3 (default, Apr 8 2019, 22:20:19)
[GCC 4.2.1 (Apple Inc. build 5664)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>>
eval("(1).__class__.__bases__[0].__subclasses__()[75].__init__.__globals__['__builtins__']['__imp'+'ort__']",
{"__builtins__":{}})
<built-in function __import__>
You can probably find a way to block that particular loophole.
But then there will be another one, and another, and another...
You'll never be sure that you've found all of them.
--
Greg
--
https://mail.python.org/mailman/listinfo/python-list