Embedding Python in Python

Cameron Laird claird at lairds.com
Fri Oct 10 15:23:29 EDT 2003 

In article <e56627ef.0310090639.2b1eb0a2 at posting.google.com>,
Darryl <madhobbit at geocities.com> wrote:
>JCM <joshway_without_spam at myway.com> wrote in message
>news:<bm1mt6$maa$1 at fred.mathworks.com>...
>> (...) What we did was parse the users' code
>> (take a look at the compiler module) and statically analyze it for
>> anything "dangerous".
>
>Ugh...I had considered this approach but was hoping I didn't have to
>do it :) I've only been hacking Python for a couple weeks, so I don't
>know all the ins and outs of what I'd need to watch for...in my
>experience, most languages seem to have obscure ways of doing things
>that you wouldn't think of normally, and Python seems no exception.
>From a more pragmatic perspective though, this is just a toy project,
>so it's not too important if I miss something.
>
>> (...) anything of the form __ident__
>
>Now that's an interesting idea...from what I've seen of Python, that
>should catch most of the really obscure ways of doing things. I
>haven't looked, but I can only assume that Python has regexp matching
>in it somewhere, so some of the simple checks should be only a few
>lines of code. A blacklist of keywords seems like a good first start
>(it's a fairly restrictive context, so even common things like def and
>lambda can probably be blocked).
>
>I also just tested and noticed that syntax errors seem to be thrown as
>exceptions (rather than causing the interpreter to gasp and die), so I
>shouldn't have to worry about a badly-written script crashing the
>whole app.
			.
			.
			.
I'm surprised--astounded, in fact--that those more expert
with Python than I haven't already jumped in to correct
errors that seem to be arising in this thread.

Yes, we all count on the Python interpreter to toss excep-
tions when it's unhappy, *not* "to gasp and die".  There
are a few situations it can't handle, but only few.

There's a lot to say on the subject of interpretation of
code supplied by users.  In particular, the three Python
projects
  rexec
  Bastion
  RestrictedPython
all address this requirement on a technical level.  If 
your goal is a useful working application, I strongly 
urge you to read up on these.  Correct construction on
your own of a "blacklist" is ... difficult.
-- 

Cameron Laird <claird at phaseit.net>
Business:  http://www.Phaseit.net

More information about the Python-list mailing list