use of exec()

lars van gemerden lars at rational-it.com
Thu Oct 18 11:00:03 EDT 2012 

On Thursday, October 18, 2012 4:29:45 PM UTC+2, Chris Angelico wrote:
> On Fri, Oct 19, 2012 at 1:07 AM, lars van gemerden <lars at rational-it.com> wrote:
> 
> > Thanks, Chris,
> 
> >
> 
> > That works like a charm (after replacig "return ns.function" with "return ns['function']" ;-) ).
> 
> 
> 
> Err, yes, I forget sometimes that Python doesn't do that. JavaScript
> 
> and Pike both let you (though Pike uses -> instead of . for that
> 
> operator). Yes, Python has real methods on dictionary objects :)
> 
> 
> 
> > About the security, i noticed you can still import and use modules within the exec'ed code. Is there a way to prevent this or otherwise make this approach more secure.
> 
> 
> 
> Basically no, there's no real way to make it secure. Without
> 
> eliminating exec/eval, destroying insecurity is the hopeless work of a
> 
> wasted life, as the oracle said to Alice.
> 
> 
> 
> > I should say that the users that will be able to make custom functions, are not end-users, but authenticated designers, however i would like to close a backdoor to the whole framework.
> 
> 
> 
> You have to decide one thing: Will you permit them to execute
> 
> untrusted code on your system? If so, go ahead (and just warn them
> 
> that things like import shouldn't be done, as they can cause other
> 
> messes). I run a server that I build with the help of another guy (I
> 
> do the code, he does the bulk of the content - descriptions and
> 
> stuff), and I'm happy to trust him to not be malicious, so the purpose
> 
> of "embedded code in loci" is to make it easier to write tiny bits of
> 
> code, without any security requirement. But if you need security,
> 
> don't use eval. AT ALL.
> 
> 
> 
> There may be a brand new service coming along, though. The ast module
> 
> I think is getting a new evaluator that allows a little more
> 
> functionality than literal_eval, while still not permitting most
> 
> things. But you then have the question of performance, since you
> 
> effectively interpret the code at a high level.
> 
> 
> 
> ChrisA

I get your point, since in this case having the custom code option makes the system a whole lot less complex and flexible, i will leave the option in. The future customer will be informed that they should handle the security around the designers as if they were programmers. Aditionally i will probably add some screening for unwanted keywords (like 'import') and securely log any new/changed custom code including the designer account (must do that for other actions anyway).

Thanks again, Lars

More information about the Python-list mailing list