[Flask] Executing user input python code inside flask app context

Tue Aug 23 16:44:10 EDT 2016

Hello (bis).

What kind of container do you use ?

*Christophe BAL*
*Enseignant de mathématiques en Lycée **et développeur Python amateur*
*---*
*French teacher of **math** in a high school **and **amateur **Python *
*developer*

2016-08-23 20:48 GMT+02:00 Alex Alex <alex-alex-90 at wp.pl>:

> Dear David,
>
> Thank you for all the input. The werkzeug looks very promising and
> interesting. This is a great idea. Thanks for a example code snippet -
> using code module is a good idea as well. Below is a code I came up so far
> but I'm not happy with it. It's just a quick hack and I'm not proud of it:
>
>
>
> @app.route('/', methods=['GET', 'POST'])
>
> def hello_world():
>
>     form = ExecForm()
>
>     if form.validate_on_submit():
>
>         flash('Python statement to execute: %s from %s' %
> (form.python_cmd.data, form.python_cmd))
>
>
>
>         output = StringIO.StringIO()
>
>         err = StringIO.StringIO()
>
>
>
>         sys.stderr = err
>
>         sys.stdout = output
>
>
>
>         try:
>
>             exec(form.python_cmd.data)
>
>             outp = output.getvalue()
>
>             e = err.getvalue()
>
>         except SyntaxError as exc:
>
>             e = str(exc)
>
>             outp = ''
>
>         except NameError as exc:
>
>             e = str(exc)
>
>             outp = ''
>
>         except:
>
>             e = 'Failed to execute code: %s' % form.python_cmd.data
>
>             outp = ''
>
>
>
>         sys.stdout = sys.__stdout__
>
>         sys.stderr = sys.__stderr__
>
>
>
>         output.close()
>
>         err.close()
>
>         if outp:
>
>             flash(Markup('<img src="static/python-16x16.png" alt="python">
> %s' % outp), 'success')
>
>         if e:
>
>             flash('Error: %s' % e, 'danger')
>
>         return redirect('/')
>
>     return render_template('index.html', title='Exec', form=form)
>
>
>
> As far as security concerns you are right and I fully agree with you. But
> if the project gets acceptance this will not be an issue in this case. As
> I've said running this inside a container in worst case scenario wipes out
> only container which can be easly recrated in seconds. Ability to access
> complete flask app context allso allows you to bypass authentication and
> authorization models of an webapp since by accessing SQLAlchemy instance
> you can query database, but in my casa this is the whole point: being able
> to access data through web without any constrains of webapp itself, and
> being able to do it using keyboard instead of clicking through doze of web
> forms.
>
>
>
> BR
>
> Alex
>
>
>
>
> _______________________________________________
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/flask/attachments/20160823/f561f78f/attachment-0001.html>