Creating a reliable sandboxed Python environment
Paul Rubin
no.email at nospam.invalid
Fri May 29 14:30:34 EDT 2015
Chris Angelico <rosuav at gmail.com> writes:
>> It doesn't add much to your application to embed Lua
> Lua's a much weaker language than Python is, though. Can it handle
> arbitrary-precision integers? Unicode? Dare I even ask,
> arbitrary-precision rationals (fractions.Fraction)? Security comes at
> a price, I guess.
The language features are an orthogonal issue to embeddability. Lua is
easier to embed securely because its embedding interface was designed
for that. It's also easy to call C functions from Lua, so if you want
arbitrary precision integers or rationals, you can link GMP into your
application use it from your Lua scripts.
As another example, Javascript is as powerful as Python (though worse in
many ways due to misdesign), but also by now supports reasonably secure
embedding (or else it wouldn't be usable in browsers).
See
http://lucumr.pocoo.org/2014/8/16/the-python-i-would-like-to-see/#the-damn-interpreter
for Armin Ronacher's comments on CPython's not-so-great embedding
interface. The interface he contrasts it with is essentially how Lua
and Javascript (at least in some implementations) work. I haven't
looked at MicroPython or PyPy.
More information about the Python-list
mailing list