September 24, 2003
Nice New Things
So right away I have something to show anyone who wants to look. I've been thinking about the whole RExec/Bastion problem, and I may have come up with a solution. I'd also certainly appreciate it if anyone could fill me in with any obvious security flaws
Check out SaferPython. It is my attempt to rewrite a restricted environment for Python. Admittedly, I don't think I know enough about the new language features to be sure if this works. I've tried a number of "exploits", and this seems to provide the kind of protection I want, but I'm pretty sure it doesn't have the abilities that some RExec users need.
I wrote this based upon the following premises:
- That my primary goal is to offer some sort of scripting enviroment, even if it is only a subset of the Python language. Call it PythonScript or something (ah, jk, I think that already exists)...
- That any class/object that I could want in the restricted environment would be accessible to me ahead of time.
- That none of the objects in this environment can return anything but safe objects
For the moment, I can be sure the the classes are secure, since importing is disabled from inside the environment. Only classes/objects that are imported explicitly are available.
continue reading "Nice New Things"September 23, 2003
Ch-ch-ch-ch-changes...
First of all, welcome to the latest-greatest version of the InnerSpace website. Since I slacked off so much on updating recently, I decided to start using Moveable Type to make a weblog for this site. Considering it greatly simplifies the process for me, I hope to be able to post more frequently.
I have a bit more time to talk about some of the changes going on in the InnerSpace codebase. One of the biggest things has to do with some problems with Python 2.0.
During the creation of Python 2.0, it was discovered that new class features break the RExec and Bastion modules. They no longer provide true security from untrusted code. This is obviously a big deal, since this is something projects like InnerSpace (including the Grail web browser, and, to some extent, the Zope project) rely on heavily. Some additional explanation of the situation can be found here and here.
However, PythonLabs has pretty much said they have neither the resources to fix what's wrong with RExec/Bastion, nor provide a new solution. So, this kinda sucks.
continue reading "Ch-ch-ch-ch-changes..."September 21, 2003
Whoa! That's a Spicy Meatball!!
So, it's been a pretty long time since i've updated anything on this page. This is, however, no indication of work being done on InnerSpace; as a matter of fact, things are better than ever!
I've been restructuring some of the less stable components of the framework, namely, the network layer. I've opted to use the Twisted framework to provide a networking layer. This allows me to focus on the stuff that's important for a framework like this, while having the assurance of a rock-solid networking foundation.
As of yet, I haven't updated the CVS repository with the new stuff -- this is definitely on the way. I'm under some time restraints, as I finally have a job, and that's taking up a lot of my time. However, here are some things you can look forward to.
- A new and nicer client, which provides some facilities for nicer text, embedded images, and a generally nicer (and more functional) experience.
- A fully operational verb/object and property editor.
- A much more efficient networking layer (thanks to Twisted).
- and much more...
September 19, 2003
tunes for enjoyment
These are some recordings that I put together with matt cole (drums) and rob pawlings (bass). We had a short-lived project called sesshomaru that we had a lot of fun doing, even though we really didn't have the time to do anything productive with it. We'll see what comes of it all...
- Red Baron (Cobham)
- Free Jazz for 'Heads => (sesshomaru)
- A Go-Go (Scofield)
- Blue Bossa (Dorham)
- All Blues (Davis)
- Who Stepped on Diz's Horn (Christensen/Wilson)
- Cissy Strut (Modeliste)
