Creating a reliable sandboxed Python environment
Chris Angelico
rosuav at gmail.com
Fri May 29 05:38:21 EDT 2015
On Fri, May 29, 2015 at 7:23 PM, Stefan Behnel <stefan_ml at behnel.de> wrote:
> Chris Angelico schrieb am 29.05.2015 um 09:41:
>> On Fri, May 29, 2015 at 4:18 PM, Stefan Behnel wrote:
>>>> Lua's a much weaker language than Python is, though. Can it handle
>>>> arbitrary-precision integers? Unicode? Dare I even ask,
>>>> arbitrary-precision rationals (fractions.Fraction)?
>>>
>>> All of those and way more, as long as you use it embedded in Python.
>>
>> Okay, so how would you go about using Lua-embedded-in-Python to
>> manipulate Unicode text?
>
> Lua only supports byte strings, so Lupa will encode and decode them for
> you. If that's not enough, you'll have to work with Python Unicode string
> objects through the language interface. (And I just noticed that the
> handling can be improved here by overloading Lua operators with Python
> operators - not currently implemented.)
>
>
>> Looks to me as if Lua doesn't have integers at all
>
> The standard number type in Lua is a C double float, i.e. the steady
> integer range is somewhere within +/-2^53. That tends to be enough for a
> *lot* of use cases. You could change that type in the Lua C code (e.g. to a
> 64 bit int), but that's usually a bad idea. The same comment as above
> applies: if you need Python object features, use Python objects.
Unicode strings shouldn't involve the hassle of bouncing through an
interface layer. Nobody will bother, and the result will be code
that's ASCII-only. That happens often enough even in Python 2, where
u"foo" is a Unicode string.
> Embedding Lua in Python gives you access to all of Python's objects and
> ecosystem. It may not always be as cool to use as from Python, but in that
> case, why not code it in Python in the first place? You wouldn't use
> Lua/Lupa to write whole applications, just the user defined parts of them.
> The rest can happily remain in Python. And should, for your own sanity.
The point was to sandbox something inside Python. Otherwise, yes, just
write it in Python. But if you do have to sandbox like this, you lose
language-level Unicode support, language-level arbitrary precision
integers, etcetera, etcetera, etcetera. So I stand by my previous
statement: The price of security is functionality.
ChrisA
More information about the Python-list
mailing list