[Zope] Script (Python) insecure ?

Tres Seaver tseaver at palladion.com
Sat Aug 16 10:43:42 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

M.-A. Lemburg wrote:
> On 2008-08-16 08:00, Dieter Maurer wrote:
>> M.-A. Lemburg wrote at 2008-8-12 13:41 +0200:
>>> ...
>>> While I have not yet been able to break out of the restricted
>>> environment without help from installed products, there are a few
>>> denial-of-service attacks which can easily be deployed on sites
>>> allowing adding Python Scripts to a user folder:
>>>
>>> 1. Attack:
>>>
>>> Put this into a "Script (Python)" object and run it:
>>>
>>> return 'kaboom'.encode('test.testall')
>> Attacks like this are well known and it is very difficult
>> to prevent them reliably:
>>
>>    Script (Python) (for good reasons) allows "while"
>>    and with it it is trivial to
>>
>>      * create infinite loops
>>
>>      * consume an unbound amount of memory
>>
>> That we hear very few problem reports in this respect
>> indicates that these "insecurities" have very
>> little practical importance -- maybe, because few installations grant
>> the creation of scripts to untrusted people.
> 
> ... and that's good :-)
> 
> I think the only problem with PythonScripts is that they advertise
> themselves as providing a secure way to run Python code (see the
> help documentation) and that can potentially cause serious security
> problems.
> 
> In my experience, attempts to create a sandbox that protects
> sufficiently against unwanted resource usage are either too
> restrictive and slow to make them useful or have problems
> preventing DOS attacks.
> 
> It's usually a lot better (and more efficient) to use trusted
> code only.

Agreed.  The major advantages of through-the-web coding are that changes
don't require server restarts, and that programmers don't need
filesystem access on the server.  Both of those aren't much help during
development, at least in a "developer sandbox" model, but they have been
important in the past for apps which were in production.

> BTW: The reason why I had a look at these was that Chris Withers
> mentioned at EuroPython that they are currently causing delays
> in the Python 2.5 adoption (or at least are one of the reasons
> for them).

I think the big issue is that the changes to the underlying AST model in
2.5 need review against our TTW guards.  The set of people who can do
that review is pretty small:  it needs a fairly deep understanding of
Python's low-level internals.  Last time we did the drill (for Python
2.4), there were a few more Python core developers around whose day jobs
motivated the review.  At this point, the intersection of the available
with the able is pretty small. ;(


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIpuee+gerLs4ltQ4RAjqWAJ9Efg90jVLcmyMoU7catEPahhULsACfUzn3
Zd1aD3DGQqmFsK4iKbv1I0A=
=wc75
-----END PGP SIGNATURE-----

More information about the Zope mailing list