[Python-Dev] Internal namespace proposal (original) (raw)

Armin Rigo arigo at tunes.org
Thu Jul 27 13:30:17 CEST 2006

• Previous message: [Python-Dev] Internal namespace proposal
• Next message: [Python-Dev] Internal namespace proposal
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi David,

Your proposal is too vague to be useful. In Python I would not feel that any compiler-enforced restrictions are going to be too restrictive, and so I believe that your approach is not viable, but I cannot give you many concrete examples of why before you come up with a more concrete specification.

More importantly, this is going to depend critically on a restricted interpreter in the first place, in the sense of Brett, but the safety of your proposal depends on the restricted interpreter forbidding many operations that it would not otherwise forbid for its original goal. For example, in Brett's use case there is no need to prevent reading the 'func_globals' attribute of function objects, but if that's allowed, then accessing any _attribute of any module is easy.

About special methods: how do built-in functions like str(), int(), and so on, know in which context they are called? Surely you don't propose that '2+3' should be invalid because it accesses the hidden attribute '2 .add' ?

How would you formulate a rule in term on Python's attribute look-up algorithm to prevent the following trivial attack? :

x.py:

# supposedly secure?

_hidden = [1,2,3]

class A:
    def __init__(self):
        self._authorized = ...
    def read(self):
        if not self._authorized:
            raise Forbidden
        return _hidden

attack.py:

import x
class B(x.A):
    def __init__(self):
        self._authorized = True

b = B()
print b.read()   # => [1,2,3]

On any real-life example I'm sure that hacks like overriding selected methods on the instance itself would allow an attacker to confuse the remaining methods enough to leak hidden information.

Here is a metaclass attack against the rule "self._attr is only allowed if syntactically inside the class definition of the exact class of self":

class SupposedlySecure(object):
    _hidden = [1,2,3]


class MetaAttack(type):
    def read(self):
        return self._hidden   # seen as an instance attribute

class Attack(SupposedlySecure):
    __metaclass__ = MetaAttack

print Attack.read()

A bientot,

Armin.

• Previous message: [Python-Dev] Internal namespace proposal
• Next message: [Python-Dev] Internal namespace proposal
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list