[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sandboxing eval()

On 21/01/20 6:57 pm, musbur at wrote:
> If I start with empty global and
> local dicts, and an empty __builtins__, and I screen the input string
> so it can't contain the string "import", is it still possible to have
> "targeted" malicious attacks?


Python 3.7.3 (default, Apr  8 2019, 22:20:19)
[GCC 4.2.1 (Apple Inc. build 5664)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
<built-in function __import__>

You can probably find a way to block that particular loophole.
But then there will be another one, and another, and another...
You'll never be sure that you've found all of them.