[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited) (original) (raw)
Jon Ribbens jon+python-dev at unequivocal.co.uk
Fri Apr 8 11:44:15 EDT 2016
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Apr 08, 2016 at 05:21:38PM +0200, Arthur Darcet wrote:
If i'm not mistaken, this breaks out: > exec('open("out", "w").write("a")', {}) because if the second argument of exec does not contain a builtins key, then a copy of the original builtins module is inserted: https://docs.python.org/3/library/functions.html#exec
Ah, that's a good point. I did think allowing eval/exec was a bit ambitious. I've updated it to disallow passing namespace arguments to them.
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]