[Python-Dev] Challenge: Please break this! [Now with blog post] (original) (raw)
tav tav at espians.com
Tue Feb 24 14:29:26 CET 2009
- Previous message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Next message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
antoine> You'd better make builtins read-only, it will antoine> plug a whole class of attacks like this.
I tried to put this off as long as I could to try and unearth interesting attacks.
But unfortunately I couldn't figure out a way to fix the warnings approach used by Daniel without doing this -- so from v7 builtins isn't shared any more.
The good thing is that we won't have more of the builtins class of attacks -- the flip side is that we might be closing the door on discovering some really interesting gems...
andrew> I can look up the stack frames and get andrew> "open_file", which I can then use for whatever I want.
Ehm, thanks for taking the time to implement that Andrew.
But the challenge was about doing from safelite import FileReader.
I specifically stated that form over the openly exploitable import safelite... so, sorry =(
You have to remember that this isn't the way that this code will actually be used in practise. This is just a challenge to see if the model holds...
-- love, tav
plex:espians/tav | tav at espians.com | +44 (0) 7809 569 369 http://tav.espians.com | http://twitter.com/tav | skype:tavespian
- Previous message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Next message: [Python-Dev] Challenge: Please break this! [Now with blog post]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]