473,326 Members | 2,438 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

Trusted python

rmm
Here's a first attempt at trusted python. I would be grateful if any
python gurus could point out the, no doubt obvious, flaws.
I've stopped fileobject working with patches to fileobject and
frameobject. All child frames of the first 'trusted' frame are trusted
(checked using inspect.getouterframes(inspect.currentframe()). Trusted
is a one-way switch.

Is there anything I'm missing about the python frame structure?
Is there any way of circumventing __getattribute__/__setattr__ ?
Is there any way of getting to builtins once the imported __builtin__
methods are replaced?

Regards

Ronnie Mackay
------------------Use example------------------------
import trusted
import inspect

l_trusted=trusted.Trusted(inspect.currentframe(),

['eval','reload','compile','input','execfile'],
[<list allowable modules>])

<...Attacks here...>

--------------- trusted.py ---------------
import __builtin__
class TrustedException(Exception): pass
class TrustedImportException(Exception): pass
class Trusted(object):

def __init__(self, in_main_frame, in_exclude_builtins, in_modules):
in_main_frame.trusted() # **NOTE C PATCH. REMOVE THIS TO RUN
UNPATCHED
object.__setattr__(self, '_m', in_modules)
object.__setattr__(self, '_import', __builtin__.__import__)
for l_builtin in
in_exclude_builtins:#__main__.__builtins__.__dict_ _.keys():
__builtin__.__dict__[l_builtin]=object.__getattribute__(self,
'error')
__builtin__.__import__=object.__getattribute__(sel f,
'trusted_import')
def error(self, *args):
raise TrustedException

def trusted_import(self, in_name, in_globals=None, in_locals=None,
in_as=None):
l_globals=in_globals or globals()
l_locals=in_locals or locals()
l_as=in_as or []
if in_name in object.__getattribute__(self, '_m'):
return object.__getattribute__(self, '_import')(in_name,
l_globals, l_locals, l_as)
else:
raise TrustedImportException(in_name)

def __setattr__(self, name, value):
raise TrustedException

def __getattribute__(self, name):
if name != 'trusted_import':
raise TrustedException
return object.__getattribute__(self, name)
---------------- attempts to open a file -------------------
NOTE: These can't be reproduced without patching python

Test :open('/dev/null') in the main module
Result :file() constructor not accessible in trusted mode
(exceptions.IOError)

Test : within an imported module, open('/dev/null')
Result :file() constructor not accessible in trusted mode
(exceptions.IOError)

Test :exec "open('/dev/null')"
Result :file() constructor not accessible in trusted mode
(exceptions.IOError)

Test :get file from base types
[(1).__class__.__bases__[0].__subclasses__()[-4]('/dev/null')]
Result :file() constructor not accessible in trusted mode
(exceptions.IOError)

Jul 19 '05 #1
0 1082

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: David N. | last post by:
Hi All, I have a C# project that was created using VS.NET 2003. The project is on a shared network drive. When I open the project using VS.NET, I got the following warning message: "The...
2
by: Ammar | last post by:
I've defined a linked ADSI server and I seem to be able to query the local domain ( localdomain.com ) with: DBCC TRACEON(7300) GO SELECT * FROM OPENQUERY(ADSI, 'SELECT displayName FROM...
2
by: DMS | last post by:
am new to ASP.NET and IIS web applications, but not to SQL databases. I can successfully build Windows apps using Visual Studio that use ADO. However, for Web Forms, I created data connection and...
4
by: Robert McClenon | last post by:
I would like to know how to turn off the annoying warning about macros in a database. I maintain two databases on my home computer for my own use. Now that I am using Microsoft Access 2003,...
2
by: Blake Versiga | last post by:
I am pulling my hair out..... I am trying to put a bound data grid on a webform... I have 4 data connections in my server explorer, all of which connect successfully. But when I run the web...
7
by: Ray Valenti | last post by:
I am able to preview this data in the development environment, but when I run the application the error below shows up. How do I set up a Trusted Connection? -Ray Server Error in...
0
by: Cláudia Morgado | last post by:
Good afternoon lists! Somebody that it works with the Pl/Phyton language could in helping them? We create the language python, however a common user, does not obtain to create a function using...
1
by: petergjansen | last post by:
Hi, How can I access the trusted sites list for the currently logged in user programmatically? Is there some sort of IE API which I can call to get this information or is it stored in a file...
0
by: Cassel | last post by:
I am unsure if i am posting in the right place or in the right way. Please bare with me, i am a total newbie in this forum. I am creating a script in Paintshop pro and everything went fine...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.