Embedding Python in Python

[Darryl]

claird at lairds.com (Cameron Laird) wrote in message news:<voe1ph32i3s93 at corp.supernews.com>...
> There's a lot to say on the subject of interpretation of
> code supplied by users.  In particular, the three Python
> projects
>   rexec
>   Bastion
>   RestrictedPython
> all address this requirement on a technical level.  If 
> your goal is a useful working application, I strongly 
> urge you to read up on these.  Correct construction on
> your own of a "blacklist" is ... difficult.

Given my current level of Python knowledge, I don't consider myself
capable of writing such a blacklist - I might be able to pull it off
in other languages, but not Python. I've looked at rexec and Bastion,
and (as another poster mentioned) got the impression they were
defunct. I've also been pointed at Zope, but haven't had time to
investigate it.

Since this is a casual project that I'm not spending too much time on,
I'll probably ignore the issue for now. Since I often see Python
promoted as an application scripting language, I had hoped that it had
built-in restrictions of this nature, akin to a Java applet's sandbox.
I'm now getting the impression that if I embedded Python as the
scripting language in any app, it would be similar to using VBA - an
unrestricted environment that gives the script the power to do
whatever it wants.

I think I'll go ahead with the project with only a few simple
restrictions right now (i.e. no 'import') and only allow trusted users
to write scripts. I'll also run the application in a chroot jail
(OS-specific, I know) to limit the amount of damage that can be done.

Thanks for all the advice,
- Darryl