[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited) (original) (raw)
Chris Angelico rosuav at gmail.com
Tue Apr 12 08:45:06 EDT 2016
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Apr 12, 2016 at 10:42 PM, Jon Ribbens <jon+python-dev at unequivocal.co.uk> wrote:
On Tue, Apr 12, 2016 at 02:31:19PM +0200, Victor Stinner wrote:
Oh, I forgot to mention another vulnerability: you block access to attributes by replacing getattr and by analyzing the AST. Ok, but one more time, it's not enough. If you get access to obj.dict, you will likely get access to any attribute using objdict[attr] instead of obj.attr. That's not a vulnerability, and it's something I already explicitly mentioned - if you can get a function to return an object's dict then you win. The question is: can you do that?
The question is, rather: Can you prove that we cannot?
ChrisA
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]