[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
Nikolaus Rath
Nikolaus at rath.org
Mon Apr 11 11:35:11 EDT 2016
More information about the Python-Dev mailing list
Mon Apr 11 11:35:11 EDT 2016
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Apr 11 2016, Jon Ribbens <jon+python-dev at unequivocal.co.uk> wrote: >> What I see is that you asked to break your sandbox, and less than 1 >> hour later, a first vulnerability was found (exec called with two >> parameters). A few hours later, a second vulnerability was found >> (async generator and cr_frame). > > The former was just a stupid bug, it says nothing about the viability > of the methodology. The latter was a new feature in a Python version > later than I have ever used, and again does not imply anything much > about the viability. It implies that new versions of Python may break your sandbox. That doesn't sound like a viable long-term solution. > I think now I've blocked the names of frame > object attributes it wouldn't be a vulnerability any more anyway. It seems like you're playing whack-a-mole. Best, -Nikolaus -- GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F »Time flies like an arrow, fruit flies like a Banana.«
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list