Embedding Python in Python
Jack Diederich
jack at performancedrivers.com
Wed Aug 18 16:06:34 EDT 2004
On Wed, Aug 18, 2004 at 07:44:47PM +0000, JCM wrote:
> Paul Rubin <http://phr.cx@nospam.invalid> wrote:
> > JCM <joshway_without_spam at myway.com> writes:
> >> If you're concerned about security, another possibility is to parse
> >> the user's code and look for anything potentially dangerous. You'll
> >> need to be aggressive, but I believe it's possible. For example,
> >> disallow exec statements, the identifier "eval", any identifier of
> >> __this__ form, import statements, etc. This is overly restrictive,
> >> but it will provide security.
>
> > By the time you're done with all that, you may as well design a new
> > restricted language and interpret just that.
>
> > Hint:
> > e = vars()['__builtins__'].eval
> > print e('2+2')
>
> > Even Java keeps getting new holes found, and Python is not anywhere
> > near Java when it comes to this kind of thing.
>
> I don't think it's as difficult as you think. Your snippet of code
> would be rejected by the rules I suggested. You'd also want to
> prohibit other builtins like compile, execfile, input, reload, vars,
> etc.
>
foo = "ev" + "al"
e = vars()['__builtins__'].__dict__[foo]
print e('2+2')
This is a job for the operating system and not python.
Google groups for rexec and Bastion if you want to read ten lenghty
discussions of why this is the OS's job.
-Jack
More information about the Python-list
mailing list