<br><br><div class="gmail_quote">On Fri, Apr 3, 2009 at 1:06 PM, Anand Balachandran Pillai <span dir="ltr"><<a href="mailto:abpillai@gmail.com">abpillai@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><br><div class="gmail_quote"><div class="im">On Fri, Apr 3, 2009 at 12:53 PM, Anand Chitipothu <span dir="ltr"><<a href="mailto:anandology@gmail.com" target="_blank">anandology@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/4/3 Noufal Ibrahim <<a href="mailto:noufal@gmail.com" target="_blank">noufal@gmail.com</a>>:<br>
<div>> There was a thread on python-dev recently about sandboxing code by<br>
> restricting the variables provided. A lot of people broke it (you can<br>
> check the archives for "break this code" or something similar).<br>
<br>
</div>This one?<br>
<br>
<a href="http://mail.python.org/pipermail/python-dev/2009-February/086401.html" target="_blank">http://mail.python.org/pipermail/python-dev/2009-February/086401.html</a><br>
<div><br>
> In any case, if you deny people the ability to use __import__, then<br>
> any functions that call import will fail. Whether that's a good<br>
> practice is questionable but that's the state of affairs.<br>
<br>
</div>It does restrict people from using imports, but it doesn't restrict<br>
calling functions which use import.<br>
<br>
The problem with the mentioned code is that an implicit import is<br>
getting called in the current env. If that import is inside that<br>
function then it wouldn't be an issue.</blockquote></div><div><br>Use this work-around.<br><br># Save the name __import__<br>__import__ = __builtins__.__import__<br>__builtins = {}<div class="im"><br><br>import datetime<br>
now = datetime.datetime.utcnow()<br></div><div class="im">
print now.strftime("%m %Y")<br> <br></div>This works. Do this at the top of all modules which is dependent<br>on your code which breaks __builtin__.</div></div></blockquote><div><br>Retracted. I was testing wrong code :) It should be __builtins__,<br>
not __builtins, in which case it fails...!<br> <br>However you can do the same thing and inject the __import__<br>name after your modification.<br><br>Like,<br><br>code = generate_code(template)<br>__import__ = __builtins__.__import__<br>
custom_builtins.__import__ = __import__<br><br>
env = {'__builtins__': custom_builtins}<br>
exec(code, env)<br><br>?<br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="gmail_quote"><div><br><br></div><div class="im">
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<div><div></div><div>_______________________________________________<br>
BangPypers mailing list<br>
<a href="mailto:BangPypers@python.org" target="_blank">BangPypers@python.org</a><br>
<a href="http://mail.python.org/mailman/listinfo/bangpypers" target="_blank">http://mail.python.org/mailman/listinfo/bangpypers</a><br>
</div></div></blockquote></div></div><br><br clear="all"><br>-- <br><font color="#888888">-Anand<br><br><br><br>
</font></blockquote></div><br><br clear="all"><br>-- <br>-Anand<br><br><br><br>