remote read eval print loop
Chris Angelico
rosuav at gmail.com
Fri Aug 17 10:06:14 EDT 2012
On Fri, Aug 17, 2012 at 11:28 PM, Eric Frederich
<eric.frederich at gmail.com> wrote:
> Within the debugging console, after importing all of the bindings, there
> would be no reason to import anything whatsoever.
> With just the bindings I created and the Python language we could do
> meaningful debugging.
> So if I block the ability to do any imports and calls to eval I should be
> safe right?
Nope. Python isn't a secured language in that way. I tried the same
sort of thing a while back, but found it effectively impossible. (And
this after people told me "It's not possible, don't bother trying". I
tried anyway. It wasn't possible.)
If you really want to do that, consider it equivalent to putting an
open SSH session into your debugging console. Would you give that much
power to your application's users? And if you would, is it worth
reinventing SSH?
ChrisA
More information about the Python-list
mailing list