Embedded python security

Jason Orendorff jason at jorendorff.com
Wed Jan 16 04:35:32 CET 2002


> The thing is, I don't need users trying to hack the server through the
> scripts, and I know that those kind of security issues have been tackled
> in the case of javascript since it is used for client-side web scripting.
> My question is, have these kinds of issues been dealt with in python?  Is
> there some kind of "sandbox" I can run python scripts in?

Yes.  There are modules rexec and bastion that will help with this.
The principles are simple enough that you can even do it "by hand":

vars = {'__builtins__' : {}}
while 1:
    try:
        exec raw_input(">>> ") in vars
    except:
        print "ERROR"

But almost no matter what you do, the following code will peg the CPU
and cause the lights in your building to dim for a moment, until the
machine runs out of memory.

  10**(10L**100)

Short answer:  don't do it.

## Jason Orendorff    http://www.jorendorff.com/




More information about the Python-list mailing list