[Python-Dev] Restricted interpreter (original) (raw)

Guido van Rossum guido@python.org
Fri, 08 Nov 2002 16:15:12 -0500

> Are you aware of the standard library module 'rexec'?

In fileobject.c: /* rexec.py can't stop a user from getting the file() constructor -- all they have to do is get any file object f, and then do type(f). Here we prevent them from doing damage with it. */ if (PyEvalGetRestricted()) { It looks like I was going to reinvent the wheel.

Glad you noticed. ;-)

Is this being used in some project you know about?

Not that I'm aware of, and in fact we've plugged enough security leaks in it so far that I'm not eager to recommend. But then, your reinvented wheel would have the same problem.

Btw, what's the point of FileWrapper, having in mind that it stores 'f' as an accessible attribute?

>>> r.sexec("""import sys; print sys.stdout.f""") <open file '', mode 'w' at 0x100eec30>

Beats me! It looks like a debugging hack that accidentally made it into the code; the code works just as well without self.f, it seems.

Unclear if there's any damage, since FileWrapper is only used to wrap stdin, stdout and stderr.

But this amplifies the warning about rexec's viability.

Maybe you can use the time you were going to spend on reinventing rexec for a security audit instead...

--Guido van Rossum (home page: http://www.python.org/~guido/)