Embedding Python in Python
Paul Rubin
http
Wed Aug 18 15:35:39 EDT 2004
JCM <joshway at myway.com> writes:
> If you're concerned about security, another possibility is to parse
> the user's code and look for anything potentially dangerous. You'll
> need to be aggressive, but I believe it's possible. For example,
> disallow exec statements, the identifier "eval", any identifier of
> __this__ form, import statements, etc. This is overly restrictive,
> but it will provide security.
By the time you're done with all that, you may as well design a new
restricted language and interpret just that.
Hint:
e = vars()['__builtins__'].eval
print e('2+2')
Even Java keeps getting new holes found, and Python is not anywhere
near Java when it comes to this kind of thing.
More information about the Python-list
mailing list