[Python-Dev] Re: Python and Security (original) (raw)

Paul Prescod paul@prescod.net
Sun, 20 Jan 2002 15:49:58 -0800

Ka-Ping Yee wrote:

... That said, however, i wonder why security rarely comes up as an issue for Python.

I guess you didn't read comp.lang.python this week. ;)

http://www.securityfocus.com/archive/1/250580

... Is it because nobody expects security properties from the language?

Remember that people for a long time thought of Perl as a "CGI language". And early uses of CGI would probably have depended heavily on the Perl equivalents of "popen" and "system". Plus, those features are so easy to get at in the language. Compare:

print ls

versus:

import os

print os.popen("ls").read()

If you were a newbie in each of these languages what are the percentage chance of you using either of these features versus the list-dir equivalent. List-dir is available in each language.

... Does anyone know how much the restricted execution feature gets used?

I personally would not trust it because I don't know if anyone is following its progress from one version of Python to another. I also know that even languages that are designed from scratch to be safe (Java and JavaScript) have had leaky implemetations so I don't really hold out much hope for Python until I hear that someone is actively researching this.

... Is there anyone here that would use a tainting feature if it existed?

I'd like to think I've internalized taints rules by osmosis...

(By the way, i'm planning to be at Python 10, and hope to see many of you there. As i'm looking for ways to keep costs down, would anyone be interested in splitting the cost of a hotel room in exchange for a roommate with a strange hairstyle? I'll be there Feb 4 to 7, three nights.)

Maybe there should be a bulletin board or something for people to find each other. I think one of the Python conferences had something like that...for hotels and also to share cabs from the airport.

Paul Prescod