[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [pygame] Python bots in Galcon (or your game!) safe_eval
- To: pygame-users@xxxxxxxx
- Subject: Re: [pygame] Python bots in Galcon (or your game!) safe_eval
- From: Phil Hassey <philhassey@xxxxxxxxx>
- Date: Fri, 9 Mar 2007 15:41:36 -0800 (PST)
- Delivered-to: archiver@seul.org
- Delivered-to: pygame-users-outgoing@seul.org
- Delivered-to: pygame-users@seul.org
- Delivery-date: Fri, 09 Mar 2007 18:41:47 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=H3Ho06KWN2OnGRY+9tyQRxY1YRf9yBK7Z5R/AZPFK3VUvnB/aqslUfSHx6m9P4Ewj2Aj4ES6XifPWMJ++DL6eKhwNwcCiWQ1oWvldzJH0Z93JXRVejhrmBVVb7pCvbUwdAKNRf4gW9diBr0yiugVhQL7d4s3ilv6MixK4ftbbB0=;
- In-reply-to: <45F1D041.6000306@telus.net>
- Reply-to: pygame-users@xxxxxxxx
- Sender: owner-pygame-users@xxxxxxxx
P.S. - if anyone has any theoretical ideas on how they could break safe.py, but can't be bothered to try to do it themselves, please post them. I'll give it a shot.
One theoretical one I have is doing something like:
d = {}
v = some_bad_value_that_when_printed_executes_something ?!
v2 = d[v]
because when the exception is raised, v will be printed outside of the safe_eval context.
Thanks!
Phil
Lenard Lindstrom <len-l@xxxxxxxxx> wrote: Phil Hassey wrote:
> Hey,
>
> I've updated the script with some more tests and other goodies.
>
The following program executes code outside safe_eval.
from safe import safe_eval
TestCode = """
def delmethod(self):
print 'I am out.'
foo=type('Foo', (object,), {'_' + '_del_' +
'_':delmethod})()
foo.error
"""
try:
safe_eval(TestCode)
finally:
print 'Left safe_eval.'
I can't find any way to exploit this loophole though. But maybe the
__del__ method could be used to exhaust memory in an infinitely
recursive way.
--
Lenard Lindstrom
Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.