[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [pygame] Python bots in Galcon (or your game!) safe_eval
- To: pygame-users@xxxxxxxx
- Subject: Re: [pygame] Python bots in Galcon (or your game!) safe_eval
- From: Phil Hassey <philhassey@xxxxxxxxx>
- Date: Fri, 9 Mar 2007 14:30:52 -0800 (PST)
- Delivered-to: archiver@seul.org
- Delivered-to: pygame-users-outgoing@seul.org
- Delivered-to: pygame-users@seul.org
- Delivery-date: Fri, 09 Mar 2007 17:31:01 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=WUy9O82ez0qSx0MzO71t1SOGzkocv6ByAv1qUGWXeiB+5n8ZQim3Ztec8pwiggs3jpxjiWJjpPgAo1rxQSnIuDbm/MhaalJfR/g1lejugKSXyM7/Q85MeVaaG2KxG0DvaaWg0PvS+Kgvdp/basBYwbWC13WkYa8qTpbb9jFYPiM=;
- In-reply-to: <45F1D041.6000306@telus.net>
- Reply-to: pygame-users@xxxxxxxx
- Sender: owner-pygame-users@xxxxxxxx
Lenard,
Excellent catch. I've removed the 'type' function from the list of safe builtins. I've also added a test case that demonstrates what you wrote. "test_misc_type_escape"
http://www.imitationpickles.org/tmp/safe.py
Using what you wrote, I changed it a little and was able to do a 1/0 outside of the safe_eval, causing a crash.
Thanks!
Phil
Lenard Lindstrom <len-l@xxxxxxxxx> wrote: Phil Hassey wrote:
> Hey,
>
> I've updated the script with some more tests and other goodies.
>
The following program executes code outside safe_eval.
from safe import safe_eval
TestCode = """
def delmethod(self):
print 'I am out.'
foo=type('Foo', (object,), {'_' + '_del_' + '_':delmethod})()
foo.error
"""
try:
safe_eval(TestCode)
finally:
print 'Left safe_eval.'
I can't find any way to exploit this loophole though. But maybe the
__del__ method could be used to exhaust memory in an infinitely
recursive way.
--
Lenard Lindstrom
It's here! Your new message!
Get
new email alerts with the free Yahoo! Toolbar.