Untrusted python code
Paul Rubin
http
Sun Sep 23 15:31:51 EDT 2007
Thomas Dybdahl Ahle <lobais at gmail.com> writes:
> Hi, I have an application for which I want users to be able to make
> themes.
> I've planed a rather advanced model (in xml), which gives themes the
> option to redefine various drawing methods.
> Now I don't want those themes to be able to take over the current user,
> but I'd still like the scripts to be able to import stuff like math.
> Is there a way to ensure no IO and other dangerous stuff is done?
No. There used to be something called rexec/bastion but it was
removed because it was insecure.
You might look at http://webpy.org which is a web kit written in
Python, that has its own sandboxed interpreter for a Python-like
user templating language, for doing what you're doing.
You could also consider using something like client side XSLT.
More information about the Python-list
mailing list