Safe eval?
Erno Kuusela
erno-news at erno.iki.fi
Wed Apr 17 06:29:22 EDT 2002
In article <Ms9v8.22165$b62.626694 at news1.tin.it>, Alex Martelli
<aleax at aleax.it> writes:
| Paul Rubin wrote:
|| "Philipp Lenssen" <lenssen at hitnet.rwth-aachen.de> writes:
||| Is it possible to have a safe eval() on the server-side even when the
||| string consists of submitted user data?
||
|| Well, look at the docs for the rexec (restricted execution) and Bastion
|| classes, but basically no, there's no safe way. Rexec doesn't stop an
|| infinite loop from hosing your cpu.
| If you have to watch for that, forking and running the DoS risk in the
| child process can help -- the parent process needs to keep an eye
| over the resources (mostly, time) being used by the child process and
| be ready to kill it if need be. Simple, it ain't.
you can use resource limits - then it's pretty simple. both cpu time
memory usage can be restricted using the resource module (remember to
use the hard limit).
-- erno
More information about the Python-list
mailing list