On Sandboxing Genshi

One of the big advantages of django templates is that they are sandboxed. And the django sandbox is pretty secure because templates provide nearly no possibility to screw things up, especially because there is no way to put logic into django templates. The only possibility you have to add a security problem to django templates is writing broken template tags or stuff like that. Now Jinja has real expressions and with them the possibility to screw things up. But the Jinja core itself restricts access to python internals and as long as you keep your objects save nobody will be able to execute arbitrary python code in a template or access the filesystem.

Some time ago Christopher Lenz blogged about logic in templates, and one of the things he stated there was the following sentence about Genshi:

But even though I personally prefer working with a template language that allows me to use a real programming language (Python, Ruby, etc), there is definitely room for template languages that put severe restrictions on what you can do with them. An obvious example is that you’re running a site such as Typepad, and want to allow users to manage their own custom templates. As things currently stand, you wouldn’t be able to do that using Genshi.

Just because Genshi doesn’t support it by now this doesn’t mean it will stay like that. In fact the great architecture of Genshi makes sandboxing Genshi quite simple. To see how secure we can get Genshi I started a Genshi branch today. Maybe you can use Genshi soon for user provided templates :-)

Other notice, I got quite a few mails that my blog is/was broken. As you might now we have had some problems with the load of our server the last months. To resolve that problem i tweaked the apache the last two days and while doing that various services behaved strangely or caused problems. By now everything should work again.

This entry was posted on Wednesday, September 26th, 2007 at 9:12 pm and tagged as genshi, django, jinja, python. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “On Sandboxing Genshi”

  1. Btw, about Django templates being sandboxed/secure:

    include tag security hole

    (Hope that comes out right, there are no hints here about how comments are supposed to be formatted to include links etc)

    Comment by Christopher Lenz — Thursday, September 27th, 2007 @ 2:37 pm

  2. I have no idea how comments are parsed in WordPress, probably some limited amount of HTML, i shortened the link in the admin.

    That thing is definitively bad, I thought the django template loader makes sure nothing outside of the django root is included. That couldn’t happen with Genshi ;-)

    Comment by Armin Ronacher — Thursday, September 27th, 2007 @ 6:17 pm

Leave a Reply

cogitations driven by wordpress