How to permanently remove __import__?

Peter Hansen peter at engcorp.com
Tue Jun 17 23:45:48 CEST 2003


martin z wrote:
> 
> Hi - simple problem, but I can't find an answer.  I'm working on an embedded
> Python interpreter, and I am overriding the __import__ statement.  This is
> for several reasons, but suffice to say I do not want users to be able to
> access the traditional __import__ function under any circumstances.  Now, my
> problem is this: I can replace __builtins__.__import__ but all the user has
> to do is call reload(__builtins__)
> 
> I'd just do the same to reload, but reload is a handy function that would be
> even messier to re-implement.  That, and I'd always be worried there was
> another way to tap into the missing __import__ statement.

What you're doing is bizarre, and probably prone to massive security
wholes as well, but if you really want to do that, why not override
reload() in the same manner, but after checking that the argument is
not the __builtins__ module, pass the call on to the original, to which
you've preserved a reference.

(And I can immediately think of about three problems both with this
and the original approach.)

Have you read about Bastion and RExec and their ilk, and the concerns
about their safety?

-Peter




More information about the Python-list mailing list