> > There's very little code devoted specifically to security. > > However, there's a feature called "restricted mode", and in > > restricted mode, certain introspections are disallowed. > > Restricted mode is on when a particular stack frame's __builtins__ > > dictionary isn't the default one (which is __builtin__.__dict__ -- > > note the difference between __builtin__, which is a module, and > > __builtins__, which is a global with magic meaning). Read the > > source for PyFrame_New(). > > And while I am reading that piece of code, anything else I should > take a look at? I am tired of not being able to help out more at > the C level but I don't know where to start to get a good, overall > view of the codebase short of starting at the eval loop and just > reading the code that it calls (as of right now I just want a good, > deep understanding of how Python does internal object representation > and how extension modules actually work; parser can wait for another > day =). For learning how things work, I recommend studying extension module code rather than the implementation first; then you can follow leads from the extension. Or use gdb to step through the C code of an extension doing something fairly simple. > > It turns out that in 2.2 and beyond, not enough restrictions were > > placed on disallowing new introspections that were enabled by > > virtue of the class/type integration, and that's the cause of most > > rexec vulnerabilities. > > Is there any desire to bother to fix this? Or would it be better to > just rip this stuff out and hope some TrustedPython project pops up > to take over rexec, Bastion, and such and do the work of making > secure Python code? I'd like the restricted mode even if it's not perfect, and I hope one day it will work again. It's mostly a matter of lack of brain cycles. --Guido van Rossum (home page: http://www.python.org/~guido/)
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4