[Python-Dev] Reviving restricted mode?
P.J. Eby
pje at telecommunity.com
Mon Feb 23 05:14:54 CET 2009
At 07:56 PM 2/22/2009 -0800, Guido van Rossum wrote:
>On Sun, Feb 22, 2009 at 7:39 PM, P.J. Eby <pje at telecommunity.com> wrote:
> > Just a question, but, if you just need a pure-python restricted environment
> > for App Engine, why not just use the RestrictedPython package (i.e.,
> > http://pypi.python.org/pypi/RestrictedPython )?
>
>How does that work? Remember, app engine doesn't support certain
>things, and bytecode manipulations (if that's what RestrictedPython
>does) are one of the unsupported things.
It doesn't modify bytecode, it modifies an AST. It basically
replaces prints, and attribute/item read/writes with function
calls. Unfortunately, it does this AST modification by running as a
traversal against the stdlib compiler package's AST, not a modern
AST. So, I suppose it might not be usable as-is on app engine.
It does, however, have the advantage of having been used in Zope for
oh, six or seven years now? ISTM that it first came out around the
same time as Python 2.3, and the latest version just dropped support
for Python 2.1 and 2.2. So, if you want something that wasn't thrown
together in an afternoon, it might be a good thing to take a look at. ;-)
>The other reason I can think of is that Tav is a capabilities purist. :-)
You can implement capabilities on top of RestrictedPython; it's
simply a policy-neutral enforcement framework.
More information about the Python-Dev
mailing list