Dailydave mailing list archives

Re: Google Apps Engine

From: "Lutz Böhne" <lboehne () damogran de>
Date: Fri, 11 Apr 2008 16:33:14 +0200

Even those could easily be sanitized by just some fun with function
pointers.

    >>> open=lambda *x: "no"
    >>> open('/etc/passwd')
    'no'


Unless there are other ways to find these functions:

    >>> __builtins__.__dict__["open"]( '/etc/passwd')
    <open file '/etc/passwd', mode 'r' at 0xb7dac7b8>

or even:

    >>> open=lambda *x: "no"
    >>> open('/etc/passwd')
    'no'
    >>> del open
    >>> open('/etc/passwd')
    <open file '/etc/passwd', mode 'r' at 0xb7db44a0>

Python is fun, there are so many ways to have it do what you want ;)

It might be possible to remove these functions like this:

    >>> del __builtins__.__dict__["open"]
    >>> open('/etc/passwd')
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    NameError: name 'open' is not defined
    [...]

But i don't know whether that'd get rid of all problems.

Best regards,

Lutz

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Google Apps Engine Dave Aitel (Apr 08)
- Re: Google Apps Engine jf (Apr 08)
- Re: Google Apps Engine Jeremy Kelley (Apr 08)
  - Re: Google Apps Engine jf (Apr 08)
  - Re: Google Apps Engine Lutz Böhne (Apr 11)
    - Re: Google Apps Engine Jeremy Kelley (Apr 11)
    - Re: Google Apps Engine Aidan Thornton (Apr 12)
    - Re: Google Apps Engine Thomas Ptacek (Apr 13)