[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [pygame] Python bots in Galcon (or your game!) safe_eval



Lenard,

Excellent catch.  I've removed the 'type' function from the list of safe builtins.  I've also added a test case that demonstrates what you wrote.  "test_misc_type_escape"
http://www.imitationpickles.org/tmp/safe.py
Using what you wrote, I changed it a little and was able to do a 1/0 outside of the safe_eval, causing a crash.

Thanks!
Phil

Lenard Lindstrom <len-l@xxxxxxxxx> wrote:
Phil Hassey wrote:
> Hey,
>
> I've updated the script with some more tests and other goodies.
>
The following program executes code outside safe_eval.


from safe import safe_eval

TestCode = """
def delmethod(self):
print 'I am out.'
foo=type('Foo', (object,), {'_' + '_del_' + '_':delmethod})()
foo.error
"""

try:
safe_eval(TestCode)
finally:
print 'Left safe_eval.'


I can't find any way to exploit this loophole though. But maybe the
__del__ method could be used to exhaust memory in an infinitely
recursive way.

--
Lenard Lindstrom




It's here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.