Replacing open builtin

[rmm]

If I replace the open builtin eg

import main
__main__.__builtins__.open=None

Is there any way, from here on, to access the original open function??

Extending this slightly, lets say I put a reference to the original
open function inside a class called Isolate and protect this reference
using __getattribute__ and __setattr__. Is the original function now
isolated and only able to be referenced within Isolate.

In summary, are there any references to builtin functions others than
through __builtins__ and is __getattribute__, __setattr__ secure

Regards

RMM

 

[Brian Quinlan]

Can anyone recommend a Python interactive shell for use in presentations?

Ideal characteristics (priority order):
o configurable font size
o full screen mode
o readline support
o syntax coloring

I've tried ipython but, since it runs inside a console window, and the
console window has a limited number of selectable fonts, it doesn't
work terribly well.

I've seen presentations using some sort of PyGame implemented shell.
Does anyone have an information on that?

Cheers,
Brian

 

[rmm]

Sorry, should maybe have used __import__ as an example.
Let's say I grab import, store the reference within the Isolate class
and then redirect the builtin import to a function in the Isolate class
which only allows certain modules to be imported -eg not sys. Would
this be secure?

 

[Ville Vainio]

Brian> Can anyone recommend a Python interactive shell for use in
Brian> presentations?

Brian> I've tried ipython but, since it runs inside a console
Brian> window, and the console window has a limited number of
Brian> selectable fonts, it doesn't work terribly well.

Hmm, do you consider the fonts in a console window unreadable? I've
given a few presentations using ipython on win32 and it worked alright
- but I suppose the projector quality is a factor here...

 

[rmm]

I had a quick look at the python source code and fileobject.c is one of
the core classes which, I would imagine, is why a reference can be
obtained. The other classes (method, dictionaries etc) don't look so
much of a liability. I'll maybe try disabling the fopen calls in
fileobject and see if it breaks anything (I've no need to open/close
files using the standard libraries).

Are there any other holes you can think of in the following scenario-
I disable all builtins except import which I protect in my 'Isolate'
class, I then only allow import to import a single module name.

Thanks for the speedy and informative replies.

RMM

 

[Peter Hansen]

I had a quick look at the python source code and fileobject.c is one of
the core classes which, I would imagine, is why a reference can be
obtained. The other classes (method, dictionaries etc) don't look so
much of a liability. I'll maybe try disabling the fopen calls in
fileobject and see if it breaks anything (I've no need to open/close
files using the standard libraries).

Are there any other holes you can think of in the following scenario-
I disable all builtins except import which I protect in my 'Isolate'
class, I then only allow import to import a single module name.

You *really* ought to be checking the list archives for the *many* past
discussions of this, and the many ways in which it is nowhere near as
easy as you seem to think it might be, as well as for the variety of
partially completed efforts -- some of which closely resemble your
approach -- which have been abandoned after it was demonstrated how the
could not work.

On the other hand, after reading all that, you just might be the one to
come up with the solution that combines just enough of each approach to
solve the problem once and for all, and the community would be very
grateful to you.

But I doubt you'll solve this by asking Jp to review (and, inevitably,
shoot down) each idea you come up with. Give him a break until you've
read some of the archived material on this.

-Peter

 

[Brian Quinlan]

Hmm, do you consider the fonts in a console window unreadable?

In fullscreen mode, yes (you get no choice of font size in Windows XP).
In Windowed mode you still only get a limited font selection (only two
fonts and only a few type sizes [most of which are small]).

I've
given a few presentations using ipython on win32 and it worked alright
- but I suppose the projector quality is a factor here...

I'll get by but I was hoping for something better.

Cheers,
Brian

 

[James Carroll]

---------- Forwarded message ----------
From: James Carroll <[email protected]>
Date: May 11, 2005 10:43 AM
Subject: Re: Interactive shell for demonstration purposes
To: Brian Quinlan <[email protected]>


I would personally try looking at the PyCrust.py that's included with
wxPython. It has a standard shell, and you can use the Ctrl-] hotkey
to increase the font size. You can make it big and readable... (but
not bold, which would be nice.) Then, hide your taskbars (or system
menus) and maximize...

-Jim

Hmm, do you consider the fonts in a console window unreadable?

In fullscreen mode, yes (you get no choice of font size in Windows XP).
In Windowed mode you still only get a limited font selection (only two
fonts and only a few type sizes [most of which are small]).

I've
given a few presentations using ipython on win32 and it worked alright
- but I suppose the projector quality is a factor here...

I'll get by but I was hoping for something better.

Cheers,
Brian

 

[rmm]

Sorry, didn't mean to pester Jp

I have checked the archives, Rexec copies __builtins__, causing the del
__builtins__ issue. I'm modifying the lowest level__builtins__.
I am also using __getAttribute__ and __setAttr__, I could find no
mention of security holes on the lists.

Let me re-state the question:
1. Once I've set all builtins except Import to None. Is there any way
of re-binding these built-ins if import is restricted to a single
module?
2. Are classed protected using __getAttribute__ and __setAttr__ secure

If these questions have been asked already, could you point me to
where?

-Ronnie

 

[Bengt Richter]

Hmm, do you consider the fonts in a console window unreadable?

In fullscreen mode, yes (you get no choice of font size in Windows XP).
In Windowed mode you still only get a limited font selection (only two
fonts and only a few type sizes [most of which are small]).

I've
given a few presentations using ipython on win32 and it worked alright
- but I suppose the projector quality is a factor here...

I'll get by but I was hoping for something better.

If you make your console 96 wide and set the font to Lucida Console Bold 24point,
it will probably expand to near full screen on 1024x768. You can set the scroll buffer
to a couple hundred lines and adjust console widow height to suit. Use the properties
from the system icon, or get there by Alt-Space P etc.
You can change the fg/bg colors also, though not a big selection either. I'm not a fan of idle
for my system (NT4) though it looks nice enough and has more fonts to choose from.

Regards,
Bengt Richter

 

[Brian Quinlan]

If you make your console 96 wide and set the font to Lucida Console Bold 24point,
it will probably expand to near full screen on 1024x768. You can set the scroll buffer
to a couple hundred lines and adjust console widow height to suit. Use the properties
from the system icon, or get there by Alt-Space P etc.

That's not bad. There are two caveats:
1. you have to set the width to 72 characters (instead of 80) at
1024x768 with 24 point fonts
2. you can't run in full-screen mode

Cheers,
Brian

 

[Bengt Richter]

That's not bad. There are two caveats:
1. you have to set the width to 72 characters (instead of 80) at
1024x768 with 24 point fonts

Well, you don't _have_ to ;-) E.g., I have my screen buffer size set to 96 wide and 200 high,
so when I select 24-pt bold Lucida Console, I don't see more than about 68 characters within
the frame, but I can scroll horizontally to see to the 96 limit. If I output more than 96 wide,
it wraps to the next line. You may want to set wrap/buffer width at 72, but that's a choice, not
a have-to, at least on my system ;-)

2. you can't run in full-screen mode

Well, my system permits it, sort of, but it does force some layout and ugly raster font that reminds
of a black BSOD and is probably controlled by some registry stuff that I am too lazy to pursue.
I had to kill it (the console window) to get back to a normal console window, but that is probably
because I don't know the secret incantation off hand ;-/

Anyway, HIIH (happy if it helped ;-)

Regards,
Bengt Richter