use of exec()
lars van gemerden
lars at rational-it.com
Fri Oct 19 19:43:40 EDT 2012
On Thursday, October 18, 2012 5:16:50 PM UTC+2, Chris Angelico wrote:
> On Fri, Oct 19, 2012 at 2:00 AM, lars van gemerden <lars at rational-it.com> wrote:
>
> > I get your point, since in this case having the custom code option makes the system a whole lot less complex and flexible, i will leave the option in. The future customer will be informed that they should handle the security around the designers as if they were programmers. Aditionally i will probably add some screening for unwanted keywords (like 'import') and securely log any new/changed custom code including the designer account (must do that for other actions anyway).
>
>
>
> That sounds like a reasonable implementation of Layer Eight security.
>
> As long as everyone understands that this code can do ANYTHING, you'll
>
> be fine.
>
>
>
> You may want to add some other programmatic checks, though; for
>
> instance, a watchdog timer in case the code gets stuck in an infinite
>
> loop, or a memory usage limit, or somesuch. Since you're no longer
>
> worrying about security, this sort of thing will be fairly easy, and
>
> will be just to help catch common errors.
>
>
>
> ChrisA
Do you have any ideas about to what extend the "lambda" version of the code (custom code is only the 'body' of the lambda function) has the same issues?
Cheers, Lars
More information about the Python-list
mailing list