mysticgalaxies team mailing list archive
-
mysticgalaxies team
-
Mailing list archive
-
Message #00020
Re: Python :(
if we find that it is insecure we certainly should dump it, we don't want
Amethyst to be exploitable.I've searched for Python exploits on milw0rm.com,
but all the results there require that the os module is imported first, and
we're not doing that (not ruling out that there might be other ways of
course).
I've been thinking and maybe we could post a challenge somewhere with a
simple embedded Python application with the same security measures that we
have and see if anyone can break it. (and we should also check if we can fix
the hole that they find, if they find something)
(and regarding our talk about Savannah, I guess it wouldn't hurt to register
there and try things out, and if it isn't enough we'll just close it)
2009/5/27 Braden Walters <meoblast@xxxxxxx>
> We don't necessarily have to dump Python, we just need to evaluate
> whether it is a smart idea, and then decide whether we will stick with
> it or go to something else. I took a quick look at Mozilla Spidermonkey
> (Javascript) but I'm not sure how powerful or extensible that library
> is.
>
> On Wed, 2009-05-27 at 07:19 +0200, Henrik Nilsson wrote:
> > We've already had to disable a few builtin functions, such as file
> > (which could open a local file for reading/writing), worth noting is
> > that also import is disabled, did you bring this up when you asked,
> > Braden?
> > I think disabling import should save us from most security headaches
> > (other than builtin functions, but that's a relatively small list)
> > Though if we're gonna dump Python we'll have to find another candidate
> > quick, what do you say about Lua?
> >
> >
> > Here's a list of languages that are good for embedding, though without
> > any consideration for security in arbitrary
> > code,
> http://en.wikipedia.org/wiki/Categorical_list_of_programming_languages
> >
> > 2009/5/27 Ted Smith <teddks@xxxxxxxxx>
> > Insecure how?
> >
> >
> > On Tue, 2009-05-26 at 19:33 -0400, Braden Walters wrote:
> > > I asked the Python community about what they think about
> > using Python
> > > for a project like Amethyst. They said it's WAY too
> > insecure. I suppose
> > > it's best to go back now before we get too far into a mess.
> > Since this
> > > is mostly for Rakhun, I'll have to talk to you in IRC some
> > time about
> > > this.
> > >
> > >
> > > _______________________________________________
> > > Mailing list: https://launchpad.net/~mysticgalaxies
> > > Post to : mysticgalaxies@xxxxxxxxxxxxxxxxxxx
> > > Unsubscribe : https://launchpad.net/~mysticgalaxies
> > > More help : https://help.launchpad.net/ListHelp
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~mysticgalaxies
> > Post to : mysticgalaxies@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~mysticgalaxies
> > More help : https://help.launchpad.net/ListHelp
> >
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~mysticgalaxies
> > Post to : mysticgalaxies@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~mysticgalaxies
> > More help : https://help.launchpad.net/ListHelp
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~mysticgalaxies
> Post to : mysticgalaxies@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mysticgalaxies
> More help : https://help.launchpad.net/ListHelp
>
Follow ups
References
