[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [pygame] From * import * and Pygame2exe

To: pygame-users@xxxxxxxx
Subject: Re: [pygame] From * import * and Pygame2exe
From: Sami Hangaslammi <sami.hangaslammi@xxxxxxxxx>
Date: Wed, 20 Jul 2005 20:53:29 +0300
Delivered-to: archiver@seul.org
Delivered-to: pygame-users-outgoing@seul.org
Delivered-to: pygame-users@seul.org
Delivery-date: Wed, 20 Jul 2005 13:53:43 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Ii7mNUhjnwx8Fqqw+IvhbIGPtZS1Vwrtb2s6L62AqCFJ1TtHynSxtFsAuGUOPKnJgeHexaTq2IMidt2QRBp1PDMJX7WFGnNCjafWjbNCUfyBsdcg1dwX9cs7FrmfJzXZC973wJ+QJMIZWS00ZE/wVu/Vfyum1nZVjfIA8YX/asc=
In-reply-to: <7528bcdd0507201022485fe7b5@mail.gmail.com>
References: <1243.165.121.82.234.1121702161.squirrel@165.121.82.234> <2c43defd05071809025ac0ad47@mail.gmail.com> <383b6d6f050718135154416901@mail.gmail.com> <1121871485.7900.27.camel@localhost.localdomain> <383b6d6f05072008245487fbe9@mail.gmail.com> <2c43defd05072009387c1fd46b@mail.gmail.com> <7528bcdd0507201022485fe7b5@mail.gmail.com>
Reply-to: pygame-users@xxxxxxxx
Sender: owner-pygame-users@xxxxxxxx

On 7/20/05, Andre Roberge <andre.roberge@xxxxxxxxx> wrote:
> How about doing something like the following:
> 
> def isFileSafe(file_to_import):
> ....unsafe = "".join(contents)
> ....unsafe = unsafe.replace("(", " (")
> ....unsafe = unsafe.split()
> ....bad_keywords = ["chr", "exec", "eval", "input", "raw_input",
> "import", "file", "open"]
> ....for word in bad_keywords:
> ........if word in safe_list:
> ............return False
> ....return True
> 
> [add in a regular expression search for any "magic" python "word" of the form
> __aName__, i.e. lead and followed by two underscores -- something I can't do on
> the spot :-(]
> 
> and only allow importing levels (through execfile()) if it's deemed to be safe?

I still wouldn't trust string analysis, since there are so many sneaky
ways to write something. E.g.

getattr(getattr(globals()["\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x73\x5f\x5f"],
"\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f")("\x6f\x73"),
"\x73\x79\x73\x74\x65\x6d")("oops")

While the above is reliant on __builtins__ and would be stopped by the
word in safe_list check, I'm pretty sure that someone who knows all
the tricks could get past string tests. The bytecodes aren't that much
more difficult to analyze and they are, IMHO, easier to make
foolproof.

-- 
Sami Hangaslammi

Follow-Ups:
- Re: [pygame] From * import * and Pygame2exe
  - From: D. Hartley
- Re: [pygame] From * import * and Pygame2exe
  - From: Richard Jones

References:
- [pygame] From * import * and Pygame2exe
  - From: kschnee
- Re: [pygame] From * import * and Pygame2exe
  - From: Sami Hangaslammi
- Re: [pygame] From * import * and Pygame2exe
  - From: andrew baker
- Re: [pygame] From * import * and Pygame2exe
  - From: Dan
- Re: [pygame] From * import * and Pygame2exe
  - From: andrew baker
- Re: [pygame] From * import * and Pygame2exe
  - From: Sami Hangaslammi
- Re: [pygame] From * import * and Pygame2exe
  - From: Andre Roberge

Prev by Author: Re: [pygame] From * import * and Pygame2exe
Next by Author: Re: [pygame] Pitcher's Duel Batter Demo needs testers
Previous by thread: Re: [pygame] From * import * and Pygame2exe
Next by thread: Re: [pygame] From * import * and Pygame2exe
Index(es):
- Author
- Thread