search

isaacg1 / pyth

Pyth, an extremely concise language. Try it here:
https://pyth.herokuapp.com/
MIT License
263 stars 57 forks source link

' doesn't work in the online interpreter #157

Closed refi64 closed 8 years ago

refi64 commented 8 years ago

https://pyth.herokuapp.com/?code=%27%22https%3A%2F%2Fwww.google.com%2F&debug=0

Code:

'"https://www.google.com/

Output:

Traceback (most recent call last):
  File "pyth.py", line 640, in <module>
  File "<string>", line 3, in <module>
  File "/app/macros.py", line 325, in read_file
  File "/app/.heroku/python/lib/python3.4/urllib/request.py", line 153, in urlopen
  File "/app/.heroku/python/lib/python3.4/urllib/request.py", line 455, in open
  File "/app/.heroku/python/lib/python3.4/urllib/request.py", line 473, in _open
  File "/app/.heroku/python/lib/python3.4/urllib/request.py", line 433, in _call_chain
  File "/app/.heroku/python/lib/python3.4/urllib/request.py", line 1230, in https_open
  File "/app/.heroku/python/lib/python3.4/urllib/request.py", line 1189, in do_open
  File "/app/.heroku/python/lib/python3.4/http/client.py", line 1090, in request
  File "/app/.heroku/python/lib/python3.4/http/client.py", line 1128, in _send_request
  File "/app/.heroku/python/lib/python3.4/http/client.py", line 1086, in endheaders
  File "/app/.heroku/python/lib/python3.4/http/client.py", line 924, in _send_output
  File "/app/.heroku/python/lib/python3.4/http/client.py", line 859, in send
  File "/app/.heroku/python/lib/python3.4/http/client.py", line 1221, in connect
  File "/app/.heroku/python/lib/python3.4/http/client.py", line 836, in connect
  File "/app/.heroku/python/lib/python3.4/socket.py", line 491, in create_connection
  File "/app/.heroku/python/lib/python3.4/socket.py", line 530, in getaddrinfo
  File "/app/.heroku/python/lib/python3.4/encodings/__init__.py", line 97, in search_function
NameError: name '__import__' is not defined
Maltysen commented 8 years ago

This is the same problem as in the regexp function - dynamic imports are disallowed in safe mode, and both re and urllib use them. I'm not really sure why they are disallowed though, since we also have full-eval, and super-quote disabled.

isaacg1 commented 8 years ago

The reason imports are sidabled in safemode is to guard against accidental security breaches. There are two lines of defence: first, we eliminate the obvious means of running arbitrary python code, and second, we try to ensure that if arbitrary python code is executed, security doesn't fall.

A past bug in string escaping allowed arbitrary python code execution without full eval or super-quote, so I don't want the removal of full eval and super-quote to be the only line of defence.

While I'd like to work around this, allowing general import is not the solution I'd like to go with.

refi64 commented 8 years ago

@isaacg1 You could always override the __import__ function to only allow importing certain files and throw an error for anything else.

isaacg1 commented 8 years ago

Not worth fixing, but I would accept a pull request that fixed this.