Eval (was Re: Question about using python as a scripting language)
gene tani
gene.tani at gmail.com
Wed Aug 9 15:15:20 EDT 2006
Chris Lambacher wrote:
> On Wed, Aug 09, 2006 at 11:51:19AM -0400, Brendon Towle wrote:
> I don't disagree with you. The problem is that the obvious way to do it
> (eval) is a big security hole. In this case you are trusting that no one
> inserts themselves between you and the website providing you with code to
> EXECUTE. I have heard of people attempting to use the parser provided with
> python and examining the AST to do this, but I think that approach is even
> more complicated.
here's some things about sandboxing python:
http://svn.python.org/view/python/branches/bcannon-sandboxing/securing_python.txt?rev=50717&view=log
http://sayspy.blogspot.com/2006/07/still-working-on-security.html
More information about the Python-list
mailing list