Re: Python CGI sandboxing advice (packaging of Online Python Tutor)
* Jakub Wilk <jwilk@debian.org>, 2014-02-13, 00:27:
The CGI's code is supposed to be safeguarding against abuse,
The protection is not very good. (I'll disclose the details later.)
The exploit I had in mind was:
import re
from re import sys
imp = re.sys.modules['imp']
posix = imp.load_dynamic('', 'posix')
which gives you access to the goodies of the posix module. There's a
resource limit that prevents you from opening any file, but you can do
chmod(), chown(), remove(), rename(), kill(), …
Apparently this is now fixed:
https://github.com/pgbovine/OnlinePythonTutor/commit/eab7cb1c717a
I wouldn't be surprised if there were other clever ways to bypass OPT's
security restrictions, and upstream doesn't seem to confident about this
code either.
--
Jakub Wilk
Reply to: