[Zope-Coders] Re: [Zope-Checkins] CVS: Zope/lib/python/AccessControl - ZopeGuards.py:1.13

[R. David Murray]

On Tue, 17 Dec 2002, Chris Withers wrote:
> R. David Murray wrote:
> > The issue here (assuming I'm understanding it correctly, of course)
> > is that once your patch is in, someone can do that arbitrary import
> > from a pythonscript through the web.
>
> This isn't the case at all. The patch 'pre-imports' the module to give it a
> chance to make security declarations. Any module failing to do so will still
> fail to import.

The only difference between your "pre-import" and a real import is
that the name doesn't get registered in the *local* namespace.  The
code in the relevant python files still gets executed.  (Which is
your whole point, after all, otherwise the security declarations
would have no effect).  Remember that python makes no distinction
between "compile" and "run".  An import causes the code in the file
to be *executed*.  It's just that the side effects of that execution
are normally to load references to compiled code into into the local
namespace.  But there's nothing to prevent a 'system("rm -rf /*")'
line from appearing at the top level of a module and getting executed
at import (or "pre-import") time.  Of course, *that* line isn't
likely, but there are lots of other insecure things a sloppy coder
might do on purpose or by accident, such as starting up a listener
on a socket.

--RDM