This isn't really for users. It is for developers like me.<br>Yes it is a security hole but again, it is a debugger.<br><br>The people who will be using it can all ssh into the server machine with the same ID that the server process is running on.<br>
In fact, this is quite normal.<br><br>As it is right now, we log into these machines and start an interactive Python and use the bindings to debug things.<br>This works well most of the time but when you do that you need to start another session of the application.<br>
It is useful to run code interactively from within an actual client session where something has gone wrong.<br><br>In any case.... I got this working with a rudimentary SWT Java client (yuck, but the application is based on Eclipse).<br>
<br>Below is the code I used. It has a singleton interactive console object.<br>I sub-classed it and defined another method "process" which simply calls the "push" method after wrapping stdout and stderr.<br>
It returns anything that was printed to stdout, stderr, and the return value of the "push" method.<br><br>So now from the client I can process one line at a time and it behaves much like the real interactive console... you wouldn't even realize there is all this client / server / WSDL / xml / https junk going on.<br>
<br>############ BEGIN CODE<br><br>import sys<br>from code import InteractiveConsole<br><br>class MyBuffer(object):<br> def __init__(self):<br> self.buffer = []<br> def write(self, data):<br> self.buffer.append(data)<br>
def get(self):<br> ret = ''.join(self.buffer)<br> self.buffer = []<br> return ret<br><br>class MyInteractiveConsole(InteractiveConsole):<br> <br> def __init__(self, *args, **kwargs):<br>
InteractiveConsole.__init__(self, *args, **kwargs)<br> self.mb_out = MyBuffer()<br> self.mb_err = MyBuffer()<br> <br> def process(self, s):<br> sys.stdout, sys.stderr = self.mb_out, self.mb_err<br>
more = self.push(s)<br> sys.stdout, sys.stderr = sys.__stdout__, sys.__stderr__<br> return self.mb_out.get(), self.mb_err.get(), more<br><br>print 'creating new interactive console'<br>mic = MyInteractiveConsole()<br>
<br><br><div class="gmail_quote">On Fri, Aug 17, 2012 at 10:06 AM, Chris Angelico <span dir="ltr"><<a href="mailto:rosuav@gmail.com" target="_blank">rosuav@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Fri, Aug 17, 2012 at 11:28 PM, Eric Frederich<br>
<<a href="mailto:eric.frederich@gmail.com">eric.frederich@gmail.com</a>> wrote:<br>
> Within the debugging console, after importing all of the bindings, there<br>
> would be no reason to import anything whatsoever.<br>
> With just the bindings I created and the Python language we could do<br>
> meaningful debugging.<br>
> So if I block the ability to do any imports and calls to eval I should be<br>
> safe right?<br>
<br>
</div>Nope. Python isn't a secured language in that way. I tried the same<br>
sort of thing a while back, but found it effectively impossible. (And<br>
this after people told me "It's not possible, don't bother trying". I<br>
tried anyway. It wasn't possible.)<br>
<br>
If you really want to do that, consider it equivalent to putting an<br>
open SSH session into your debugging console. Would you give that much<br>
power to your application's users? And if you would, is it worth<br>
reinventing SSH?<br>
<br>
ChrisA<br>
<span class="HOEnZb"><font color="#888888">--<br>
<a href="http://mail.python.org/mailman/listinfo/python-list" target="_blank">http://mail.python.org/mailman/listinfo/python-list</a><br>
</font></span></blockquote></div><br>