Dailydave mailing list archives
Re: Google Apps Engine
From: "Thomas Ptacek" <tqbf () matasano com>
Date: Sat, 12 Apr 2008 13:22:15 -0500
If you own the interpreter codebase, shouldn't it be possible just to hook libc's open(2) stub, and give a unique signature to calls that originated on a trusted code path? This doesn't seem at all hard to me. On 4/12/08, Aidan Thornton <makosoft () googlemail com> wrote:
On 4/11/08, Lutz Böhne <lboehne () damogran de> wrote: > > Even those could easily be sanitized by just some fun with function > > pointers. > > > > >>> open=lambda *x: "no" > > >>> open('/etc/passwd') > > 'no' > > Unless there are other ways to find these functions: > > >>> __builtins__.__dict__["open"]( '/etc/passwd') > <open file '/etc/passwd', mode 'r' at 0xb7dac7b8> > > or even: > > >>> open=lambda *x: "no" > >>> open('/etc/passwd') > 'no' > >>> del open > >>> open('/etc/passwd') > <open file '/etc/passwd', mode 'r' at 0xb7db44a0> > > Python is fun, there are so many ways to have it do what you want ;) > > It might be possible to remove these functions like this: > > >>> del __builtins__.__dict__["open"] > >>> open('/etc/passwd') > Traceback (most recent call last): > File "<stdin>", line 1, in <module> > NameError: name 'open' is not defined > [...] > > But i don't know whether that'd get rid of all problems. > > Best regards, > > Lutz > Hi, The quick answer is no, it wouldn't be enough. For example, try type(sys.stdin)('/etc/passwd') or the equivalent sys.stdin.__class__('/etc/passwd'). Also, as http://mail.python.org/pipermail/python-dev/2006-July/067291.html points out, file can be obtained from object.__subclasses__(). (object itself can be found by working up the inheritance tree from any new-style class - say, a string - using __bases__) Python's powerful introspection support and lack of data hiding make doing any sort of meaningful sandboxing within the language itself very difficult. There used to be a bundled module called rexec to do this (via a combination of hooks into the interpreter and built-in support), but it was depreciated due to security issues. They might be doing something similar - it seems to strip what functions from native-code modules can be imported to some safe whitelist (and load all modules written in Python within the sandbox). Aidan _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Google Apps Engine Dave Aitel (Apr 08)
- Re: Google Apps Engine jf (Apr 08)
- Re: Google Apps Engine Jeremy Kelley (Apr 08)
- Re: Google Apps Engine jf (Apr 08)
- Re: Google Apps Engine Lutz Böhne (Apr 11)
- Re: Google Apps Engine Jeremy Kelley (Apr 11)
- Re: Google Apps Engine Aidan Thornton (Apr 12)
- Re: Google Apps Engine Thomas Ptacek (Apr 13)