[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited) (original) (raw)

Jon Ribbens jon+python-dev at unequivocal.co.uk
Tue Apr 12 10:03:47 EDT 2016

On Tue, Apr 12, 2016 at 01:40:57PM +0000, David Wilson wrote:

On Tue, Apr 12, 2016 at 11:12:27PM +1000, Steven D'Aprano wrote: > I can think of one possible threat. Suppose that the locale library > has a bug, so that calling "aardvark".isdigit seg faults, potentially > executing arbitrary C code, but at the very least crashing the > application. Is that the sort of attack you're concerned by?

This thread already covered the need to address SEGV at length. For a truly evil user, almost any kind of crash is an opportunity to take control of the system, and a security solution ignoring this is no security solution at all.

Indeed.

But that's not what's happening, instead a dead horse is being flogged over a hundred messages in our inboxes and IMHO it is excruciating to watch.

I don't think that is true at all, and I personally I have found this thread very interesting. I apologise if others have not.

> Even if the only thing we learn from Jon's experiment is a new set of > tricks for breaking out of the sandbox, that's still interesting, if > not useful.

Don't forget the worst case: a fundamentally broken security module heavily marketed to the naive using claims the core team couldn't break it.

I should point out that my module is called "unsafe.py", is titled an "experiment", and prominently states in the README:

Do not use this code for any purpose in the real world.

I will not be putting it up as an installable package, and as already stated it was never my intention to suggest that it or anything like it be included in the stdlib. I will however leave it on github for anyone who wants to have a go at breaking into it in the future.

More information about the Python-Dev mailing list