74 lines
2.6 KiB
XML
74 lines
2.6 KiB
XML
<?xml version='1.0' encoding='utf-8' ?>
|
|
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
]>
|
|
<chapter id="chap-Defensive_Coding-Python">
|
|
<title>The Python Programming Language</title>
|
|
<para>
|
|
Python provides memory safety by default, so low-level security
|
|
vulnerabilities are rare and typically needs fixing the Python
|
|
interpreter or standard library itself.
|
|
</para>
|
|
<para>
|
|
Other sections with Python-specific advice include:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<xref linkend="chap-Defensive_Coding-Tasks-Temporary_Files"/>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<xref linkend="sect-Defensive_Coding-Tasks-Processes-Creation"/>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<xref linkend="chap-Defensive_Coding-Tasks-Serialization"/>, in
|
|
particular <xref linkend="sect-Defensive_Coding-Tasks-Serialization-Library"/>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<xref linkend="sect-Defensive_Coding-Tasks-Cryptography-Randomness"/>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<section>
|
|
<title>Dangerous standard library features</title>
|
|
<para>
|
|
Some areas of the standard library, notably the
|
|
<literal>ctypes</literal> module, do not provide memory safety
|
|
guarantees comparable to the rest of Python. If such
|
|
functionality is used, the advice in <xref
|
|
linkend="sect-Defensive_Coding-C-Language"/> should be followed.
|
|
</para>
|
|
</section>
|
|
<section>
|
|
<title>Run-time compilation and code generation</title>
|
|
<para>
|
|
The following Python functions and statements related to code
|
|
execution should be avoided:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem><para><function>compile</function></para></listitem>
|
|
<listitem><para><function>eval</function></para></listitem>
|
|
<listitem><para><literal>exec</literal></para></listitem>
|
|
<listitem><para><function>execfile</function></para></listitem>
|
|
</itemizedlist>
|
|
<para>
|
|
If you need to parse integers or floating point values, use the
|
|
<function>int</function> and <function>float</function>
|
|
functions instead of <function>eval</function>. Sandboxing
|
|
untrusted Python code does not work reliably.
|
|
</para>
|
|
</section>
|
|
<section>
|
|
<title>Sandboxing</title>
|
|
<para>
|
|
The <literal>rexec</literal> Python module cannot safely sandbox
|
|
untrusted code and should not be used. The standard CPython
|
|
implementation is not suitable for sandboxing.
|
|
</para>
|
|
</section>
|
|
</chapter>
|