Embedding Python in Python

JCM joshway_without_spam at myway.com
Wed Aug 18 21:44:47 CEST 2004


Paul Rubin <http://phr.cx@nospam.invalid> wrote:
> JCM <joshway_without_spam at myway.com> writes:
>> If you're concerned about security, another possibility is to parse
>> the user's code and look for anything potentially dangerous.  You'll
>> need to be aggressive, but I believe it's possible.  For example,
>> disallow exec statements, the identifier "eval", any identifier of
>> __this__ form, import statements, etc.  This is overly restrictive,
>> but it will provide security.

> By the time you're done with all that, you may as well design a new
> restricted language and interpret just that.

> Hint: 
>   e = vars()['__builtins__'].eval
>   print e('2+2')

> Even Java keeps getting new holes found, and Python is not anywhere
> near Java when it comes to this kind of thing.

I don't think it's as difficult as you think.  Your snippet of code
would be rejected by the rules I suggested.  You'd also want to
prohibit other builtins like compile, execfile, input, reload, vars,
etc.



More information about the Python-list mailing list