Embedding Python in Python
Cameron Laird
claird at lairds.com
Fri Oct 10 15:23:29 EDT 2003
In article <e56627ef.0310090639.2b1eb0a2 at posting.google.com>,
Darryl <madhobbit at geocities.com> wrote:
>JCM <joshway_without_spam at myway.com> wrote in message
>news:<bm1mt6$maa$1 at fred.mathworks.com>...
>> (...) What we did was parse the users' code
>> (take a look at the compiler module) and statically analyze it for
>> anything "dangerous".
>
>Ugh...I had considered this approach but was hoping I didn't have to
>do it :) I've only been hacking Python for a couple weeks, so I don't
>know all the ins and outs of what I'd need to watch for...in my
>experience, most languages seem to have obscure ways of doing things
>that you wouldn't think of normally, and Python seems no exception.
>From a more pragmatic perspective though, this is just a toy project,
>so it's not too important if I miss something.
>
>> (...) anything of the form __ident__
>
>Now that's an interesting idea...from what I've seen of Python, that
>should catch most of the really obscure ways of doing things. I
>haven't looked, but I can only assume that Python has regexp matching
>in it somewhere, so some of the simple checks should be only a few
>lines of code. A blacklist of keywords seems like a good first start
>(it's a fairly restrictive context, so even common things like def and
>lambda can probably be blocked).
>
>I also just tested and noticed that syntax errors seem to be thrown as
>exceptions (rather than causing the interpreter to gasp and die), so I
>shouldn't have to worry about a badly-written script crashing the
>whole app.
.
.
.
I'm surprised--astounded, in fact--that those more expert
with Python than I haven't already jumped in to correct
errors that seem to be arising in this thread.
Yes, we all count on the Python interpreter to toss excep-
tions when it's unhappy, *not* "to gasp and die". There
are a few situations it can't handle, but only few.
There's a lot to say on the subject of interpretation of
code supplied by users. In particular, the three Python
projects
rexec
Bastion
RestrictedPython
all address this requirement on a technical level. If
your goal is a useful working application, I strongly
urge you to read up on these. Correct construction on
your own of a "blacklist" is ... difficult.
--
Cameron Laird <claird at phaseit.net>
Business: http://www.Phaseit.net
More information about the Python-list
mailing list