On 21/01/20 6:57 pm, musbur at posteo.org wrote:
> If I start with empty global and
> local dicts, and an empty __builtins__, and I screen the input string
> so it can't contain the string "import", is it still possible to have
> "targeted" malicious attacks?
Python 3.7.3 (default, Apr 8 2019, 22:20:19)
[GCC 4.2.1 (Apple Inc. build 5664)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
<built-in function __import__>
You can probably find a way to block that particular loophole.
But then there will be another one, and another, and another...
You'll never be sure that you've found all of them.