Embedding Python in Python

Jack Diederich jack at performancedrivers.com
Wed Aug 18 22:06:34 CEST 2004


On Wed, Aug 18, 2004 at 07:44:47PM +0000, JCM wrote:
> Paul Rubin <http://phr.cx@nospam.invalid> wrote:
> > JCM <joshway_without_spam at myway.com> writes:
> >> If you're concerned about security, another possibility is to parse
> >> the user's code and look for anything potentially dangerous.  You'll
> >> need to be aggressive, but I believe it's possible.  For example,
> >> disallow exec statements, the identifier "eval", any identifier of
> >> __this__ form, import statements, etc.  This is overly restrictive,
> >> but it will provide security.
> 
> > By the time you're done with all that, you may as well design a new
> > restricted language and interpret just that.
> 
> > Hint: 
> >   e = vars()['__builtins__'].eval
> >   print e('2+2')
> 
> > Even Java keeps getting new holes found, and Python is not anywhere
> > near Java when it comes to this kind of thing.
> 
> I don't think it's as difficult as you think.  Your snippet of code
> would be rejected by the rules I suggested.  You'd also want to
> prohibit other builtins like compile, execfile, input, reload, vars,
> etc.
> 
foo = "ev" + "al"
e = vars()['__builtins__'].__dict__[foo]
print e('2+2')

This is a job for the operating system and not python.
Google groups for rexec and Bastion if you want to read ten lenghty
discussions of why this is the OS's job.

-Jack



More information about the Python-list mailing list