473,322 Members | 1,431 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Hardening enviroment by overloading __import__?

If this is a FAQ, please let me know where the answer is.

I have in some code an 'eval', which I hate, but it's the shortest
path to where I need to get at this point. I thought that one way I
could harden the enviroment against malicious code would be to
temporarily disable the import statement by overloading __import__,
but I tried what seemed obvious to me, and it didn't work.

What I want do do is something like this:

def __import__(*args, **kwargs):
raise ImportError, 'Not so fast, bucko!'

eval(potentially_dangerous_string)

del __import__ # To get the builtin behavior back.

Am I barking up the wrong tree with __import__?? Where should I look
for this answer?

Thanks.
--
Steve Juranich
Tucson, AZ
USA
Jul 19 '05 #1
2 1890
Steve Juranich <sj******@gmail.com> writes:
Am I barking up the wrong tree with __import__??
Yes.
Where should I look for this answer?


Don't.
Jul 19 '05 #2
Steve Juranich wrote:
I have in some code an 'eval', which I hate, but it's the shortest
path to where I need to get at this point.


What's this code trying to do? If you care about malicious code at all,
you'll avoid 'eval' completely. A couple reasons why:

With only a little trouble, I can get to the file object and write stuff
to your machine:

py> eval("().__class__.mro()[1].__subclasses__()[16]")
<type 'file'>

Sure, you can avoid this by supplying your own __builtins__ to disable
the file constructor:

py> eval("().__class__.mro()[1].__subclasses__()[16]('temp.txt')",
dict(__builtins__={}))
Traceback (most recent call last):
File "<interactive input>", line 1, in ?
File "<string>", line 0, in ?
IOError: file() constructor not accessible in restricted mode

But even without the file constructor, I can still access pretty much
any attribute of any class object by looking at object.__subclasses__():

py> class C(object):
.... def __init__(self):
.... self.f = file('temp.txt', 'w')
....
py> eval("().__class__.mro()[1].__subclasses__()[-1]().f.write('junk')",
dict(__builtins__={}))
py> file('temp.txt').read()
'junk'

Moral of the story: don't use eval if you care about security!

STeVe
Jul 19 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: Marco Herrn | last post by:
Hi, I am using the builtin __import__() to import modules. That works for simple modules like in this example: m= __import__("eggs") when there is the module "eggs.py" in the current...
4
by: Coder Coder | last post by:
Hi, Can someone help me with how to overload the __import__ function, so that I can call the old __import__ function and if it cannot find the library to be able to do something else. - Thanks.
0
by: jabailo | last post by:
I set up the Remoting Chat application so I could run the server as a windows service. This is code I'm using with some .config modifications so I can run it across a network: ...
0
by: kamiller | last post by:
Help our ASP.NET Application Fails to create SQL Connection after Server Security Hardening System worked perfectly until Security ran "Hardening Scripts" Errors caught by ExceptionManagement...
0
by: Thomas Dybdahl Ahle | last post by:
Hi, I'm writing a gdesklets control, that dynamicly uses __import__ and getattr to get the right classes based on userinput. The problem is, that my control is somehow being run from somewhere...
0
by: Mitko Haralanov | last post by:
Hi all, I am going to do my best to describe the issue that I am having and hopefully someone can shed some light on it: I have three modules that a comprising the problem: ../core.py...
1
by: Harold Fellermann | last post by:
Dear list, I looked through the list but could not find any solutions for my current problem. Within my program, I am importing a module via __import__(module_name,globals(),locals()) and I...
4
by: Joshua Kugler | last post by:
We've recently been doing some profiling on a project of ours. It runs quite fast on Linux but *really* bogs down on Windows 2003. We initially thought it was the simplejson libraries (we don't...
2
kaarthikeyapreyan
by: kaarthikeyapreyan | last post by:
Query about the __import__ function ~pwd /home/preyan/test ~ls sample.py ~python >>> mod=__import__('sample') >>> amod=__import__('/home/preyan/test/sample') >>>
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.