[Zope] Script (Python) insecure ?

M.-A. Lemburg mal at egenix.com
Sat Aug 16 07:11:13 EDT 2008 

On 2008-08-16 08:00, Dieter Maurer wrote:
> M.-A. Lemburg wrote at 2008-8-12 13:41 +0200:
>> ...
>> While I have not yet been able to break out of the restricted
>> environment without help from installed products, there are a few
>> denial-of-service attacks which can easily be deployed on sites
>> allowing adding Python Scripts to a user folder:
>>
>> 1. Attack:
>>
>> Put this into a "Script (Python)" object and run it:
>>
>> return 'kaboom'.encode('test.testall')
> 
> Attacks like this are well known and it is very difficult
> to prevent them reliably:
> 
>    Script (Python) (for good reasons) allows "while"
>    and with it it is trivial to
> 
>      * create infinite loops
> 
>      * consume an unbound amount of memory
> 
> That we hear very few problem reports in this respect
> indicates that these "insecurities" have very
> little practical importance -- maybe, because few installations grant
> the creation of scripts to untrusted people.

... and that's good :-)

I think the only problem with PythonScripts is that they advertise
themselves as providing a secure way to run Python code (see the
help documentation) and that can potentially cause serious security
problems.

In my experience, attempts to create a sandbox that protects
sufficiently against unwanted resource usage are either too
restrictive and slow to make them useful or have problems
preventing DOS attacks.

It's usually a lot better (and more efficient) to use trusted
code only.

BTW: The reason why I had a look at these was that Chris Withers
mentioned at EuroPython that they are currently causing delays
in the Python 2.5 adoption (or at least are one of the reasons
for them).

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Aug 16 2008)
 >>> Python/Zope Consulting and Support ...        http://www.egenix.com/
 >>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
 >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::


    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
            Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Zope mailing list