Executing untrusted scripts in a sandboxed environment
Chris Angelico
rosuav at gmail.com
Sat Oct 6 05:23:16 EDT 2012
On Sat, Oct 6, 2012 at 7:10 PM, Ramchandra Apte <maniandram01 at gmail.com> wrote:
> On Saturday, 6 October 2012 12:49:29 UTC+5:30, Chris Angelico wrote:
>> On Sat, Oct 6, 2012 at 8:22 AM, Robin Krahl <me at robin-krahl.de> wrote:
>> > What is the best way to "embed" a script engine in a sandboxed environment that has access to the Python modules and classes that I provide?
>>
>> With extreme difficulty.
>
> Something like ast.literal_eval may be useful.
Not really; it's hardly sufficient. That sort of feature is handy for
making an expression evaluator; for instance, you could implement a
powerful calculator with it. But it's far too limited for most
applications.
The main problem is permitting some of the basic builtins (like True,
False, len(), etc), without those objects being used as gateways. Did
you know, for instance, that len.__self__.open() can be used to read
and write files on the file system?
ChrisA
More information about the Python-list
mailing list