Server Questions (2 of them)
Christian Heimes
lists at cheimes.de
Sun Nov 20 19:27:59 EST 2011
Am 20.11.2011 22:44, schrieb Hrvoje Niksic:
> Andrew <andrew.chapkowski at gmail.com> writes:
>
>> How to do you create a server that accepts a set of user code?
> [...]
>
> Look up the "exec" statement, the server can use it to execute any code
> received from the client as a string.
>
> Note "any code", though; exec runs in no sandbox and if a malicious
> client defines addition(1, 2) to execute os.system('sudo rm -rf /'), the
> server will happily do just that.
It's possible to sandbox Python code, see
http://docs.python.org/library/rexec.html,
http://code.activestate.com/recipes/496746-restricted-safe-eval/ or TTW
code (through the web) in Zope. However the sandboxing is limited and
you really need to know what you are doing.
More information about the Python-list
mailing list