[IronPython] restrict scripting access
Dody Gunawinata
empirebuilder at gmail.com
Mon Jun 30 15:30:41 CEST 2008
Ah, true. If there's an effort to create a sandbox mode, please also
consider time out scenarios so we don't have infite loops causing much
damage.
On Mon, Jun 30, 2008 at 3:35 PM, Michael Foord <fuzzyman at voidspace.org.uk>
wrote:
> Dody Gunawinata wrote:
>
>> That you can filter our from the python source code or replace such call
>> with exception ("bzz, can't load AddReference") - Yeah, it's a pretty nasty
>> workaround, but it works.
>>
>
> Unfortunately not - one of the disadvantages of a highly dynamic language.
> There are lots of alternative ways of getting at the functionality.
>
> Using the __import__ function instead of import. Using getattr with strings
> instead of including the literals in the source code. etc etc
>
> It is for these reasons that the rexec module was deprecated in CPython, it
> is basically impossible to prevent access to certain builtin features. You
> have to apply the restrictions from the 'outside'.
>
> Michael
>
>
>> Dody G.
>>
>> On Mon, Jun 30, 2008 at 3:26 PM, Michael Foord <fuzzyman at voidspace.org.uk<mailto:
>> fuzzyman at voidspace.org.uk>> wrote:
>>
>> Dody Gunawinata wrote:
>>
>> In the IronPython hosting API, unless you specifically load
>> the assembly, it will not be accessible through the script. So
>> right now restricting access means configuring the assemblies
>> you want to expose to the script.
>>
>>
>> But what is to stop the user code doing:
>>
>> import clr
>> clr.AddReference('SomeAssembly')
>>
>> Loading the ScriptRuntime into an AppDomain and restricting the
>> privileges on that is one way - but I don't think that IronPython
>> will work at all unless the AppDomain has pretty much full trust.
>>
>> Michael Foord
>>
>> On Mon, Jun 30, 2008 at 3:09 PM, Ben Hall
>> <ben2004uk at googlemail.com <mailto:ben2004uk at googlemail.com>
>> <mailto:ben2004uk at googlemail.com
>> <mailto:ben2004uk at googlemail.com>>> wrote:
>>
>> I thought this last night, it would be really useful if we
>> could
>> 'sandbox' the IP engine and limit it's access to certain
>> areas of the
>> framework.
>>
>>
>>
>> On Mon, Jun 30, 2008 at 12:57 PM, Rainer Worbis
>> <r.worbis at cubido.at <mailto:r.worbis at cubido.at>
>> <mailto:r.worbis at cubido.at <mailto:r.worbis at cubido.at>>> wrote:
>> > No - for example i would like to prevent that the user loads
>> assemblies and does own data access via System.Data.SqlClient.
>> > Or uses specific parts of the applications. (which should be
>> visible to other scripts). So access control per script
>> would be
>> optimal.
>> >
>> > Rainer
>> >
>> > -----Ursprüngliche Nachricht-----
>> > Von: users-bounces at lists.ironpython.com
>> <mailto:users-bounces at lists.ironpython.com>
>> <mailto:users-bounces at lists.ironpython.com
>> <mailto:users-bounces at lists.ironpython.com>>
>> [mailto:users-bounces at lists.ironpython.com
>>
>> <mailto:users-bounces at lists.ironpython.com>
>> <mailto:users-bounces at lists.ironpython.com
>> <mailto:users-bounces at lists.ironpython.com>>] Im Auftrag von
>> Korbinian Abenthum
>> > Gesendet: Montag, 30. Juni 2008 13:47
>> > An: Discussion of IronPython
>> > Betreff: Re: [IronPython] restrict scripting access
>> >
>> > Rainer Worbis wrote:
>> >> is there a way to restrict access to objects or namespaces
>> >> within a script? We use IronPython for providing scripting
>> >> functionality within our .NET Application but would like to
>> >> restrict access to certain functions. Has anybody
>> information
>> >> or a sample how to do that?
>> >
>> > Can you declare the restricted objects as "internal"?
>> >
>> > Cheers,
>> > Korbinian
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.ironpython.com
>> <mailto:Users at lists.ironpython.com>
>> <mailto:Users at lists.ironpython.com
>> <mailto:Users at lists.ironpython.com>>
>>
>> > http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.ironpython.com
>> <mailto:Users at lists.ironpython.com>
>> <mailto:Users at lists.ironpython.com
>> <mailto:Users at lists.ironpython.com>>
>>
>> > http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
>> >
>> _______________________________________________
>> Users mailing list
>> Users at lists.ironpython.com
>> <mailto:Users at lists.ironpython.com>
>> <mailto:Users at lists.ironpython.com
>> <mailto:Users at lists.ironpython.com>>
>>
>> http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
>>
>>
>>
>>
>> -- nomadlife.org <http://nomadlife.org> <
>> http://nomadlife.org>
>>
>> ------------------------------------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.ironpython.com <mailto:Users at lists.ironpython.com>
>> http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
>>
>>
>>
>> -- http://www.ironpythoninaction.com/
>> http://www.voidspace.org.uk/
>> http://www.trypython.org/
>> http://www.ironpython.info/
>> http://www.resolverhacks.net/
>> http://www.theotherdelia.co.uk/
>>
>>
>>
>>
>> --
>> nomadlife.org <http://nomadlife.org>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.ironpython.com
>> http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
>>
>>
>
>
> --
> http://www.ironpythoninaction.com/
> http://www.voidspace.org.uk/
> http://www.trypython.org/
> http://www.ironpython.info/
> http://www.resolverhacks.net/
> http://www.theotherdelia.co.uk/
>
>
--
nomadlife.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ironpython-users/attachments/20080630/89d3b8cc/attachment.html>
More information about the Ironpython-users
mailing list