[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited) (original) (raw)
Jon Ribbens jon+python-dev at unequivocal.co.uk
Tue Apr 12 07:14:45 EDT 2016
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Apr 12, 2016 at 06:21:04AM -0400, Isaac Morland wrote:
On Tue, 12 Apr 2016, Jon Ribbens wrote: >>This is still a massive game of whack-a-mole. > >No, it still isn't. If the names blacklist had to keep being extended >then you would be right, but that hasn't happened so far. Whitelists >by definition contain only a small, limited number of potential moles. > >The only thing you found above that even remotely approaches an >exploit is the decimal.getcontext() thing, and even that I don't >think you could use to do any code execution.
"I don't think"? Where's the formal proof?
I disallowed the module completely, that's the proof.
Without a proof, this is indeed just a game of whack-a-mole.
Almost no computer programs are ever "formally proved" to be secure. None of those that run the global Internet are. I don't see why it makes any sense to demand that my experiment be held to a massively higher standard than the rest of the code everyone relies on every day.
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]