executing arbitrary statements
Chris Rebert
clp2 at rebertia.com
Sat Oct 1 03:06:43 EDT 2011
On Fri, Sep 30, 2011 at 11:31 PM, Jason Swails <jason.swails at gmail.com> wrote:
> Hello everyone,
>
> I'm probably missing something pretty obvious, but I was wondering if there
> was a way of executing an arbitrary line of code somehow (such as a line of
> code based on user-input). There's the obvious use of "eval" that will
> evaluate a function call, but that doesn't allow all things.
<snip>
> Because write is a function eval works fine for it. But since print isn't
> (2.7), it throws a syntax error. Likewise, variable assignments aren't
> allowed either as they are also not functions and lack a return value:
<snip>
Use the `exec` statement, which is capable of executing statements (as
opposed to just expressions):
http://docs.python.org/reference/simple_stmts.html#the-exec-statement
> What I'm more or less looking to do is present a (limited) form of an
> interpreter inside the application I'm writing for the advanced user.
>
> I'm also interested to hear if this is a particularly bad idea for any
> reason,
It's potentially rather hacky and ad-hoc to effectively directly
inject arbitrary statements at certain points in your code.
Assuming you were to trust the user-provided code, callbacks/hooks or
plugin modules are typically much cleaner ways to integrate custom
code from the user.
Depending on your particular use case, the `cmd` module might also be
a workable alternative:
http://docs.python.org/library/cmd.html
> and if there are security issues involved with allowing users to
> execute their own code inside my program (keeping in mind that some people
> may "donate" their scripts to others that may run them as black boxes).
It is *very much* a security issue!
> Is
> it enough to disallow import statements, thereby not giving direct access to
> the sys and os modules?
Not by a long shot! There are a bunch of known tricks that exploit
introspection to circumvent such restrictions.
Secure execution of untrusted Python code is a difficult problem. Some
have accomplished it to a degree, but typically only by modifying the
interpreter itself or imposing relatively onerous restrictions on the
untrusted code.
> I know more or less what I want to do, but I'd also
> appreciate any experienced input/advice/suggestions.
I additionally came across this in researching my reply:
http://pypi.python.org/pypi/RestrictedPython/
Apparently the speed of execution leaves something to be desired, but
the package /supposedly/ works well otherwise.
Cheers,
Chris
--
http://rebertia.com
More information about the Python-list
mailing list