On Tue, Apr 12, 2016 at 06:21:04AM -0400, Isaac Morland wrote: > On Tue, 12 Apr 2016, Jon Ribbens wrote: > >>This is still a massive game of whack-a-mole. > > > >No, it still isn't. If the names blacklist had to keep being extended > >then you would be right, but that hasn't happened so far. Whitelists > >by definition contain only a small, limited number of potential moles. > > > >The only thing you found above that even remotely approaches an > >exploit is the decimal.getcontext() thing, and even that I don't > >think you could use to do any code execution. > > "I don't think"? > > Where's the formal proof? I disallowed the module completely, that's the proof. > Without a proof, this is indeed just a game of whack-a-mole. Almost no computer programs are ever "formally proved" to be secure. None of those that run the global Internet are. I don't see why it makes any sense to demand that my experiment be held to a massively higher standard than the rest of the code everyone relies on every day.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4