use of exec()
Chris Angelico
rosuav at gmail.com
Thu Oct 18 11:16:46 EDT 2012
On Fri, Oct 19, 2012 at 2:00 AM, lars van gemerden <lars at rational-it.com> wrote:
> I get your point, since in this case having the custom code option makes the system a whole lot less complex and flexible, i will leave the option in. The future customer will be informed that they should handle the security around the designers as if they were programmers. Aditionally i will probably add some screening for unwanted keywords (like 'import') and securely log any new/changed custom code including the designer account (must do that for other actions anyway).
That sounds like a reasonable implementation of Layer Eight security.
As long as everyone understands that this code can do ANYTHING, you'll
be fine.
You may want to add some other programmatic checks, though; for
instance, a watchdog timer in case the code gets stuck in an infinite
loop, or a memory usage limit, or somesuch. Since you're no longer
worrying about security, this sort of thing will be fairly easy, and
will be just to help catch common errors.
ChrisA
More information about the Python-list
mailing list