Embedding Python in Python

[JCM]

Paul Rubin <http://phr.cx@nospam.invalid> wrote:
...
>> > Hint: 
>> >   e = vars()['__builtins__'].eval
>> >   print e('2+2')
>> 
>> I don't think it's as difficult as you think.  Your snippet of code
>> would be rejected by the rules I suggested.  You'd also want to
>> prohibit other builtins like compile, execfile, input, reload, vars, etc.

> I don't see how.  Your rules were to disallow:

>   1) exec statements.  My example doesn't use it.

>   2) eval identifier.  My example uses eval as an attribute and not an
>      identifier.  You can eliminate the use of eval as an attribute with
>        e = getattr(vars()('__builtins__'), 'ev'+'al').
>      Now not even the string 'eval' appears in one piece.

You've used eval an as identifier (at least by the terminology to
which I'm accustomed), just not as a variable.

>   3) identifiers like __this__.  My example doesn't use any.  It
>      uses a constant string of that form, not an identifier.  The
>      string could be computed instead, like the eval example above.
>   4) import statements.  My example doesn't use them.

> Conclusion, my example gets past your suggested rules.  I also
> didn't use compile, execfile, input, or reload.  I did use vars but
> there are probably other ways to do the same thing.  You can't take
> something full of holes and start plugging holes until you think you
> found them all.  You have to start with something that has no holes.

It's fine to look at it that way.  Start with a subset of Python that
you know to be safe, for example only integer literal expressions.
Keep adding more safe features until you're satisfied with the
expressiveness of your subset.

> The Python crowd has been through this many times already; do some
> searches for rexec/Bastion security.

I did do a [quick] search, and saw a lot of articles about how rexec
and Bastion were insecure; but I didn't find any arguments about how
it's (too) difficult to come up with a safe subset of Python, for some
definition of "safe".