-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 M.-A. Lemburg wrote:
On 2008-08-16 08:00, Dieter Maurer wrote:
M.-A. Lemburg wrote at 2008-8-12 13:41 +0200:
... While I have not yet been able to break out of the restricted environment without help from installed products, there are a few denial-of-service attacks which can easily be deployed on sites allowing adding Python Scripts to a user folder:
1. Attack:
Put this into a "Script (Python)" object and run it:
return 'kaboom'.encode('test.testall') Attacks like this are well known and it is very difficult to prevent them reliably:
Script (Python) (for good reasons) allows "while" and with it it is trivial to
* create infinite loops
* consume an unbound amount of memory
That we hear very few problem reports in this respect indicates that these "insecurities" have very little practical importance -- maybe, because few installations grant the creation of scripts to untrusted people.
... and that's good :-)
I think the only problem with PythonScripts is that they advertise themselves as providing a secure way to run Python code (see the help documentation) and that can potentially cause serious security problems.
In my experience, attempts to create a sandbox that protects sufficiently against unwanted resource usage are either too restrictive and slow to make them useful or have problems preventing DOS attacks.
It's usually a lot better (and more efficient) to use trusted code only.
Agreed. The major advantages of through-the-web coding are that changes don't require server restarts, and that programmers don't need filesystem access on the server. Both of those aren't much help during development, at least in a "developer sandbox" model, but they have been important in the past for apps which were in production.
BTW: The reason why I had a look at these was that Chris Withers mentioned at EuroPython that they are currently causing delays in the Python 2.5 adoption (or at least are one of the reasons for them).
I think the big issue is that the changes to the underlying AST model in 2.5 need review against our TTW guards. The set of people who can do that review is pretty small: it needs a fairly deep understanding of Python's low-level internals. Last time we did the drill (for Python 2.4), there were a few more Python core developers around whose day jobs motivated the review. At this point, the intersection of the available with the able is pretty small. ;( Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIpuee+gerLs4ltQ4RAjqWAJ9Efg90jVLcmyMoU7catEPahhULsACfUzn3 Zd1aD3DGQqmFsK4iKbv1I0A= =wc75 -----END PGP SIGNATURE-----