[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [pygame] Scripting language

To: pygame-users@xxxxxxxx
Subject: Re: [pygame] Scripting language
From: "David Gowers" <00ai99@xxxxxxxxx>
Date: Tue, 19 Dec 2006 16:26:03 +1030
Delivered-to: archiver@seul.org
Delivered-to: pygame-users-outgoing@seul.org
Delivered-to: pygame-users@seul.org
Delivery-date: Tue, 19 Dec 2006 00:56:29 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=SpgV7BBABwRZKF9KkoteLoYDp+4E6xpwb83185sX8ylxUGCBG/cqPCPTnpyqwLn9fLi+vpI5oKTDxqToXe9iURj2A0x4qWZDXfJxO0HwDm3FMqJ//5Wm9gKy5/jCziSdv2O8zlvu4ONLZpDQLdHLAkcdo+fIFN3JHbOkXR4RJxw=
In-reply-to: <1166501280.29065.301.camel@localhost>
References: <74a945120612162102s10cc1da8y31d50c4fa09d295e@mail.gmail.com> <e41aa83c0612180135y5ecd9a72s3e334eeb2e540e9@mail.gmail.com> <74a945120612180941v74dda2a8lb654a52789c0de83@mail.gmail.com> <200612190803.08935.richardjones@optushome.com.au> <EF8048E6-3744-4167-B3EA-3B8FCAF9A1ED@gmail.com> <1166501280.29065.301.camel@localhost>
Reply-to: pygame-users@xxxxxxxx
Sender: owner-pygame-users@xxxxxxxx

BTW, it's perfectly possible to eliminate open() and file() from usability.
The only problem is it requires a separate instance of __bulitins__ (therefore probably a separate interpreter)

Try 1:

>>> def fakeopen (filename, mode = 'r', buffering = 0):
... raise NotImplementedError
...
>>>
>>> __builtins__.open = fakeopen
>>> __builtins__.file = fakeopen
>>> open ('/dev/urandom', 'rb')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<stdin>", line 2, in fakeopen
NotImplementedError

Try 2 (no, you don't need another interpreter instance!)

>>> def fakeopen (filename, mode = None, buffering = None):
... raise NotImplementedError
...
>>> newbuiltins = dict (vars (__builtins__))
>>> env = {}
>>> newbuiltins['open'] = fakeopen
>>> newbuiltins['file'] = fakeopen
>>> env['__builtins__'] = newbuiltins
>>> # Try to do something VERBOTEN.
>>> script = "f = open('/dev/random','r'); randombyte = f.read (1)"
>>> exec script in env
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <module>
File "<stdin>", line 2, in fakeopen
NotImplementedError
>>> # now see what nested exec does..
...
>>>
>>> script = """exec "f = open('/dev/random','r'); randombyte = f.read(1)";"""
>>> exec script in env
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <module>
File "<string>", line 1, in <module>
File "<stdin>", line 2, in fakeopen
NotImplementedError
>>> # still works!
...

Unless there is some way to access open() via modules' __builtins__ attribute, or functions' func_globals attribute..

And there is. But it's caught!

script = """exec "import os; f = os.__builtins__['open']('/dev/random','r'); randombyte = f.read(1);f.close()";"""
>>> exec script in env
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <module>
File "<string>", line 1, in <module>
IOError: file() constructor not accessible in restricted mode
>>>

I am running Python 2.6 here, and evidently setting __builtins__ in a globals dictionary activates restricted mode for anything running in it.

Testing nestedness
>>> # now for extreme convolution
...
>>> script = """exec "f = open('/dev/random','r'); randombyte = f.read(1);f.close()" in os.__builtins__"""
>>> exec script in env
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <module>
File "<string>", line 1, in <module>
IOError: file() constructor not accessible in restricted mode

:D

Testing silly degree of nestedness:
>>> #and ultimate convolution
...
>>> script = """exec "exec \\\"f = open('/dev/random','r'); randombyte = f.read(1);f.close()\\\"" in os.__builtins__"""
>>> exec script in env
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <module>
File "<string>", line 1, in <module>
File "<string>", line 1, in <module>
IOError: file() constructor not accessible in restricted mode

So that's pretty locked-down (I haven't tested the os module -- get a checkout of SVN python if you want to do that.)

Greg, in Python 2.6:

Python 2.6a0 (trunk:52884, Dec 1 2006, 14:21:57)
[GCC 4.0.3 (Ubuntu 4.0.3-1ubuntu5)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> (3).__class__.__bases__[0].__subclasses__()[-3]
<type 'deque_reverse_iterator'>

>>> (3).__class__.__bases__[0].__subclasses__()[-29]
<type 'file'>

>>> # It's a nice hack, but it doesn't help you evade restrictions:
>>> exec "(3).__class__.__bases__[0].__subclasses__()[-29]('/dev/urandom')" in env
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <module>
IOError: file() constructor not accessible in restricted mode

The two other major issues are looping-forever (which can't be fixed really, except by restricting execution time) and memory usage (I accidentally created a infinite loop today that expanded Python's memory usage to 500mb). Greg's idea of running as a seperate process is good for addressing those.

Re: imports -- probably the only fully safe way is to prohibit them completely, and pre-import chosen safe modules for your scripts' use.

References:
- [pygame] map format
  - From: spotter .
- Re: [pygame] map format
  - From: Chris Smith
- Re: [pygame] map format
  - From: spotter .
- Re: [pygame] map format
  - From: Richard Jones
- [pygame] Scripting language
  - From: Brandon N
- Re: [pygame] Scripting language
  - From: Tim Ansell

Prev by Author: [pygame] Windows installer for Pygame documentation
Next by Author: Re: [pygame] Pygame 1.8 - PNG is an unsupported image format
Previous by thread: Re: [pygame] Scripting language
Next by thread: Re: [pygame] Scripting language
Index(es):
- Author
- Thread