[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
Chris Angelico
rosuav at gmail.com
Tue Apr 12 08:45:06 EDT 2016
More information about the Python-Dev mailing list
Tue Apr 12 08:45:06 EDT 2016
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Apr 12, 2016 at 10:42 PM, Jon Ribbens <jon+python-dev at unequivocal.co.uk> wrote: > On Tue, Apr 12, 2016 at 02:31:19PM +0200, Victor Stinner wrote: >> Oh, I forgot to mention another vulnerability: you block access to >> attributes by replacing getattr and by analyzing the AST. Ok, but one >> more time, it's not enough. If you get access to obj.__dict__, you >> will likely get access to any attribute using obj_dict[attr] instead >> of obj.attr. > > That's not a vulnerability, and it's something I already explicitly > mentioned - if you can get a function to return an object's __dict__ > then you win. The question is: can you do that? The question is, rather: Can you prove that we cannot? ChrisA
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list