remote read eval print loop
Ramchandra Apte
maniandram01 at gmail.com
Sat Aug 18 09:48:57 EDT 2012
Not really. Try modifying ast.literal_eval. This will be quite secure.
On 17 August 2012 19:36, Chris Angelico <rosuav at gmail.com> wrote:
> On Fri, Aug 17, 2012 at 11:28 PM, Eric Frederich
> <eric.frederich at gmail.com> wrote:
> > Within the debugging console, after importing all of the bindings, there
> > would be no reason to import anything whatsoever.
> > With just the bindings I created and the Python language we could do
> > meaningful debugging.
> > So if I block the ability to do any imports and calls to eval I should be
> > safe right?
>
> Nope. Python isn't a secured language in that way. I tried the same
> sort of thing a while back, but found it effectively impossible. (And
> this after people told me "It's not possible, don't bother trying". I
> tried anyway. It wasn't possible.)
>
> If you really want to do that, consider it equivalent to putting an
> open SSH session into your debugging console. Would you give that much
> power to your application's users? And if you would, is it worth
> reinventing SSH?
>
> ChrisA
> --
> http://mail.python.org/mailman/listinfo/python-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20120818/d3873b3b/attachment.html>
More information about the Python-list
mailing list