Embedding Python in Python
Robey Holderith
robey at slash_dev_slash_random.org
Wed Aug 18 17:48:26 EDT 2004
On Wed, 18 Aug 2004 15:27:50 -0400, Phil Frost wrote:
> No. An easy way to escape that is to start one's code with
> 'del __builtins__', then python will add the default __builtins__ back
> to the namespace. Restricting what arbitrary code can do has been
> discussed many, many times, and it seems there is no way to do it short
> of reimplementing a python interpretor.
Out of curiosity I tried the following in 2.3.4
#------Begin Code
import random
globalDict = {'__builtins__':random}
localDict = {}
execfile("test2.py", globalDict, localDict)
print globalDict
print localDict
localDict['move']()
#------- End Code
Where test2.py looked like this:
#---------Begin Code
print __builtins__
try:
del __builtins__
print 'del worked'
except:
pass
try:
exec('del __builtins__')
print('exec del worked')
except:
pass
try:
import sys
print 'Import Worked'
except:
pass
try:
f = file('out.tmp','w')
f.write('asdfasdf')
f.close()
print 'File Access Worked'
except:
pass
seed()
def move():
print __builtins__
#------ End Code
I sure it has a crack in in somewhere, but it doesn't
seem to be del __builtins__ .
-Robey
More information about the Python-list
mailing list