Embedded python security

Jason Orendorff jason at jorendorff.com
Tue Jan 15 22:35:32 EST 2002

> The thing is, I don't need users trying to hack the server through the
> scripts, and I know that those kind of security issues have been tackled
> in the case of javascript since it is used for client-side web scripting.
> My question is, have these kinds of issues been dealt with in python?  Is
> there some kind of "sandbox" I can run python scripts in?

Yes.  There are modules rexec and bastion that will help with this.
The principles are simple enough that you can even do it "by hand":

vars = {'__builtins__' : {}}
while 1:
        exec raw_input(">>> ") in vars
        print "ERROR"

But almost no matter what you do, the following code will peg the CPU
and cause the lights in your building to dim for a moment, until the
machine runs out of memory.


Short answer:  don't do it.

## Jason Orendorff    http://www.jorendorff.com/

More information about the Python-list mailing list