git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sandboxing eval()


On 21/01/20 6:57 pm, musbur at posteo.org wrote:
> If I start with empty global and
> local dicts, and an empty __builtins__, and I screen the input string
> so it can't contain the string "import", is it still possible to have
> "targeted" malicious attacks?

Yes.

Python 3.7.3 (default, Apr  8 2019, 22:20:19)
[GCC 4.2.1 (Apple Inc. build 5664)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
 >>> 
eval("(1).__class__.__bases__[0].__subclasses__()[75].__init__.__globals__['__builtins__']['__imp'+'ort__']", 
{"__builtins__":{}})
<built-in function __import__>

You can probably find a way to block that particular loophole.
But then there will be another one, and another, and another...
You'll never be sure that you've found all of them.

-- 
Greg