On Tue, 12 Apr 2016, Jon Ribbens wrote: >> This is still a massive game of whack-a-mole. > > No, it still isn't. If the names blacklist had to keep being extended > then you would be right, but that hasn't happened so far. Whitelists > by definition contain only a small, limited number of potential moles. > > The only thing you found above that even remotely approaches an > exploit is the decimal.getcontext() thing, and even that I don't > think you could use to do any code execution. "I don't think"? Where's the formal proof? Without a proof, this is indeed just a game of whack-a-mole. I don't "think" Python is a suitable foundation for a sandboxing system intended for security purposes, but my "think" won't lead to security holes whereas yours will. So, I would respectfully suggest that unless you increase the rigour of your effort substantially, it is not worthwhile. Python is great for lots of applications already - there is no need to force it into unsuitable problem domains. Isaac Morland CSCF Web Guru DC 2619, x36650 WWW Software Specialist
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4