469,271 Members | 1,009 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,271 developers. It's quick & easy.

Is this the "right" way to do rexec?

I came across this recipe on the Python Cookbook site:

http://aspn.activestate.com/ASPN/Coo.../Recipe/286134

As written, it allows evaluation of either constants or more general
expressions involving constants and operators (but not function
calls).

I haven't thoroughly tested it for security, but it at least passes
the smoke test. Assuming that this can either be demonstrated to be
as secure as the python interpreter itself (i.e. we can't blame the
recipe for some hypothetical exploit that targets the Python
interpreter), or that testing can demonstrate a reasonable probability
that it's secure, would this be a good basis for implementing a
restricted execution environment?

Pros: It analyzes the Python bytecode itself looking for fishy stuff.
This means it should be harder to trick using, for example:

del __builtins__;import os

.... which would compromise the old rexec.

Cons: It's a bytecode hack. Python bytecodes are not guaranteed to be
portable across versions of CPython, and it certainly wouldn't work on
Jython (although a similar module that analyzes the Java bytecodes
might work).

The recipe's author gives a hint on how to allow certain types of
imports by restricting what can be referenced via the LOAD_NAME
opcode. For example, by scanning LOAD_NAME, you could allow importing
say, the math and cmath modules, but not os or sys. Or, by going a
step further and analyzing LOAD_ATTR opcodes, you could allow
selective usage of certain symbols within a module or attributes of a
class. You could allow say, read access but not write access to an
object's __class__ and __dict__. And, of course, you'd have to do
similar things with assignments.

Could something like this go into the standard CPython library if it
were proved secure enough?
Jul 18 '05 #1
1 1653
"Paul Miller" <pw*******@adelphia.net> wrote in message
news:2e**************************@posting.google.c om...
I came across this recipe on the Python Cookbook site:

http://aspn.activestate.com/ASPN/Coo.../Recipe/286134

As written, it allows evaluation of either constants or more general
expressions involving constants and operators (but not function
calls).


I wouldn't do it that way, as evidenced by the fact that I didn't
do it that way. I took the approach of running the compiler
tools to generate an AST, and then interpreting the result.
You can see the code (including the reference to
wherever I picked up the notion) in the TypeAdapter module
of PyFIT (version 0.5a1 and higher) which you can find in
the files section of either the extremeprogramming or FitNesse
Yahoo groups.

Of course, that approach is useful where each execution
is a one time thing. If you need to generate something and
use it many times, then verifying the byte code may be the
way to go.

John Roth
Jul 18 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by Edward King | last post: by
6 posts views Thread by Dean Slindee | last post: by
44 posts views Thread by Viken Karaguesian | last post: by
1 post views Thread by tshad | last post: by
7 posts views Thread by the_grove_man | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.