En Wed, 11 Apr 2007 19:26:27 -0300, Erik Johnson <no****@invalid.com>
escribió:
The documentation for these two modules says that they were disabled
in
Python 2.3 due to security holes not easily fixable. I have not worked
with
them, but I can still import them under Python 2.4, so I'm not clear on
whether the security problems were fixed in Python itself, or whether the
modules remain deprecated (disabled?)? How are/were they actually
disabled?
Any place that documents what the problems are? Any alternatives?
They were unsecure in 2003, and still are. This example still works (you
have to re-enable Bastion.py and rexec.py to test, removing the explicit
RuntimeError raise)
http://mail.python.org/pipermail/pyt...ry/031851.html
With new-style classes you can create new instances using type(), by
example; this way you can bypass the read-only restriction on files.
The language has grown plenty of new attributes, they're very handy, but
provide a lot of security holes; like __subclasses__ by example.
As far as I know, Python can't secure itself by now. I think you have to
go outside Python, using a chroot jail by example.
--
Gabriel Genellina