Drinkable Chicken

Security

By Hans Nowak · March 1, 2009 at 7:30 am · Tags: appengine, python, security

This is great stuff: A Challenge To Break Python Security.

The challenge is simple:
Open a fresh Python interpreter and do:
>>> from safelite import FileReader
You can use FileReader to read files on your filesystem

Now find a way to write to the filesystem from your interpreter

This has been discussed extensively for the last few days on python-dev. It’s funny how code seems to be pretty secure at first glance, then someone comes up with another loophole.

It especially piqued my interest since I am working on yet another searchable card database, this time using Google App Engine. Kind of like Gatherer, but for a different CCG than Magic, and (hopefully) more flexible. What does this have to do with security? Simple: the most flexible way to search cards is to store them as Python objects, then search them using a Python expression, e.g.

card.red and card.black and (card.creature or card.instant) and card.cost > 2

…or, a more convoluted query:

(card.red or card.black) and not card.multicolor \
and card.type == 'Dragon' and card.set.year > 2006

Now, executing an arbitary Python expression entered on a web page, is of course very unsafe. So I need to find ways to make it more secure, while still preserving the flexibility of a Python-based search. Although I’m not sure how much it matters in this particular case, because:

According to the App Engine docs, an application cannot write to the system, so no overwriting of files (?).

I’m not using the data store at all, and there is no user registration, so there’s no sensitive data to be accessed or manipulated.

Projects like Try Python and Try Ruby seem to fare pretty well without imposing many restrictions on the user.

That said, there might be other ways to mess with the site. Personally I don’t care if a user manages to screw up their own session due to malicious hackery, as long as it doesn’t affect other users. :-)

Anyway, the site isn’t ready yet, I still need to add more cards and flesh out the API. If you want to try it (locally), drop me a note, and I’ll send you the code.

Permalink

Comments are closed.

Currently…

reading ⇀ Greek mythology.
listening ⇀ Old stuff.
playing ⇀ CivWorld. ZHP Unlosing Ranger.
hacking ⇀ not a whole lot ATM... :(
studying ⇀ Linux stuff.
designing ⇀ A roguelike...
watching ⇀ n/a
looking forward to ⇀ Saving up enough money to visit parents, visit Friend, buy new Mac, etc. Will take a while...
other activities ⇀ working. playing with cats and baby. ^_^ fighting Linux.
Pages
Archives
- July 2011
- June 2011
- May 2011
- April 2011
- February 2011
- November 2010
- October 2010
- July 2010
- June 2010
- May 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
Friends, family, coworkers, and enemies
My other sites
See also...
Meta

Security

Currently…

Pages

Archives

Friends, family, coworkers, and enemies

My other sites

See also...

Meta