recec & Bastion ?
Gabriel Genellina
gagsl-py2 at yahoo.com.ar
Wed Apr 11 22:50:13 EDT 2007
More information about the Python-list mailing list
Wed Apr 11 22:50:13 EDT 2007
- Previous message (by thread): rexec & Bastion ?
- Next message (by thread): help building debug .pyd files
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
En Wed, 11 Apr 2007 19:26:27 -0300, Erik Johnson <nobody at invalid.com> escribió: > The documentation for these two modules says that they were disabled > in > Python 2.3 due to security holes not easily fixable. I have not worked > with > them, but I can still import them under Python 2.4, so I'm not clear on > whether the security problems were fixed in Python itself, or whether the > modules remain deprecated (disabled?)? How are/were they actually > disabled? > Any place that documents what the problems are? Any alternatives? They were unsecure in 2003, and still are. This example still works (you have to re-enable Bastion.py and rexec.py to test, removing the explicit RuntimeError raise) http://mail.python.org/pipermail/python-dev/2003-January/031851.html With new-style classes you can create new instances using type(), by example; this way you can bypass the read-only restriction on files. The language has grown plenty of new attributes, they're very handy, but provide a lot of security holes; like __subclasses__ by example. As far as I know, Python can't secure itself by now. I think you have to go outside Python, using a chroot jail by example. -- Gabriel Genellina
- Previous message (by thread): rexec & Bastion ?
- Next message (by thread): help building debug .pyd files
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list