[issue42472] security hole in eval()

[STINNER Victor]

STINNER Victor  added the comment:

> The specification specifically allows for the restriction of access to 
> globals via the second argument to eval.

The Python language reference doesn't provide any warranty like that.
https://docs.python.org/dev/library/functions.html#eval

I close the issue as "not as bug".

All previous attempts to "sandbox" Python code in Python have failed. The 
correct way is to run Python in a sandbox. Not the opposite.

> https://lwn.net/Articles/574215/ 

This one was my attempt for example ;-)

--
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42472] security hole in eval()

[Christian Heimes]

Christian Heimes  added the comment:

Your assumption is incorrect. The eval() does not promise that default builtins 
cannot be access through other means. The behavior has been discussed several 
times and at great length over the past decade.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42472] security hole in eval()

[Chris Drake]

Chris Drake  added the comment:

The specification specifically allows for the restriction of access to globals 
via the second argument to eval.

While Christian and Victor make interesting, albeit suicidal, comments and 
references to other efforts, the fact remains that this is a violation of the 
standard, and is an exploitable security issue.

It's worth noting that the 1980's are long over now - people take security 
seriously these days, even when it's inconvenient.

The fix seems ridiculously trivial for what it's worth; introduce a flag that 
honors the intent of the second argument.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42472] security hole in eval()

[STINNER Victor]

STINNER Victor  added the comment:

I suggest you to read https://python-security.readthedocs.io/security.html 
about the Python security model. In short, as soon as you let users to execute 
arbitrary Python code, they get a full access to the machine.

If you want to restrict access, you must run Python inside a restricted 
container (or any sandbox).

--
nosy: +vstinner

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42472] security hole in eval()

[Christian Heimes]

Christian Heimes  added the comment:

Would you care to explain why this should not work and how this behavior is in 
violation of the language specification?

It is perfectly valid expression. From a security perspective it may be an 
undesired feature. However Python does neither claim nor promise that eval is 
secure, see articel https://lwn.net/Articles/574215/ for more information on a 
failed attempt to sandbox Python. There is also ast.literal_eval() function, 
which provides limit evaluation of simple expressions.

--
nosy: +christian.heimes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42472] security hole in eval()

[Chris Drake]

New submission from Chris Drake :

This should not work:-

python3.7 -c  
'print(eval("().__class__.__base__.__subclasses__()[-1].__init__.__globals__",{"__builtins__":
 {}},{"__builtins__": {}}))'

and should be properly fixed.

--
messages: 381892
nosy: cryptophoto
priority: normal
severity: normal
status: open
title: security hole in eval()
type: security
versions: Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com