Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2016-April/143991.html below:

[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)

• Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
• Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 12, 2016 at 10:42 PM, Jon Ribbens
<jon+python-dev at unequivocal.co.uk> wrote:
> On Tue, Apr 12, 2016 at 02:31:19PM +0200, Victor Stinner wrote:
>> Oh, I forgot to mention another vulnerability: you block access to
>> attributes by replacing getattr and by analyzing the AST. Ok, but one
>> more time, it's not enough. If you get access to obj.__dict__, you
>> will likely get access to any attribute using obj_dict[attr] instead
>> of obj.attr.
>
> That's not a vulnerability, and it's something I already explicitly
> mentioned - if you can get a function to return an object's __dict__
> then you win. The question is: can you do that?

The question is, rather: Can you prove that we cannot?

ChrisA

• Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
• Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4