W. Martin Borgert
2/28/2010 10:52:00 PM
Gregory Ewing wrote:
> I posted a demonstration of this earlier in this thread.
As you wrote, your example does not work when using eval() like
in my original post with second and third parameter to eval():
>>> import math
>>> eval("[c for c in (0).__class__.__bases__[0].__subclasses__() if c.__name__ == 'file'][0]('/myfile', 'w')",
{ "__builtins__": None }, { "abs": abs, "sin": math.sin })
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <module>
IOError: file() constructor not accessible in restricted mode
(Same result with Python 2.4, 2.5, and 2.6.)
While I believe, that eval() is not save, I have yet to see an
example for exploiting it. Leaving out the second and third
parameter just proves, that one shouldn't omit them :~)
Thanks in advance for any black hat example!
P.S. Please Cc me, thanks.