Embedding Python in Python

Jack Diederich jack at performancedrivers.com
Wed Aug 18 22:06:34 CEST 2004

On Wed, Aug 18, 2004 at 07:44:47PM +0000, JCM wrote:
> Paul Rubin <http://phr.cx@nospam.invalid> wrote:
> > JCM <joshway_without_spam at myway.com> writes:
> >> If you're concerned about security, another possibility is to parse
> >> the user's code and look for anything potentially dangerous.  You'll
> >> need to be aggressive, but I believe it's possible.  For example,
> >> disallow exec statements, the identifier "eval", any identifier of
> >> __this__ form, import statements, etc.  This is overly restrictive,
> >> but it will provide security.
> > By the time you're done with all that, you may as well design a new
> > restricted language and interpret just that.
> > Hint: 
> >   e = vars()['__builtins__'].eval
> >   print e('2+2')
> > Even Java keeps getting new holes found, and Python is not anywhere
> > near Java when it comes to this kind of thing.
> I don't think it's as difficult as you think.  Your snippet of code
> would be rejected by the rules I suggested.  You'd also want to
> prohibit other builtins like compile, execfile, input, reload, vars,
> etc.
foo = "ev" + "al"
e = vars()['__builtins__'].__dict__[foo]
print e('2+2')

This is a job for the operating system and not python.
Google groups for rexec and Bastion if you want to read ten lenghty
discussions of why this is the OS's job.


More information about the Python-list mailing list