> > Of course that assumes that the main features in the core are secure. > > Samuele's observation that restricted code can modify a new-style > > class passed in belies that. > > How that would affect Python itself, if no rexec module was offered? He > wouldn't even notice that this problem was there, unless he was using > the "python-rexec" external module. Even then, he would have reported > this as a bug in "python-rexec", not in Python itself. I was assuming that even if you're not using the rexec module, you're using *some* way to execute untrusted Python code. If that untrusted Python code is given access to a new-style class, the hole is as open as ever. (Fortunately you can't modify built-in types, otherwise the hole would be much bigger and much harder to avoid.) > That's the goal! To get into the hall-of-fame, one would have to tell > how he got in. We can also send an email to someone just before > executing the code, so that even anonymous hackers contribute with the > idea. I don't expect you'll ever reach the point where it'll be wise to advertise this as safe. I certainly won't. --Guido van Rossum (home page: http://www.python.org/~guido/)
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4