Embedding Python in Python
joshway_without_spam at myway.com
Wed Aug 18 21:44:47 CEST 2004
Paul Rubin <http://firstname.lastname@example.org> wrote:
> JCM <joshway_without_spam at myway.com> writes:
>> If you're concerned about security, another possibility is to parse
>> the user's code and look for anything potentially dangerous. You'll
>> need to be aggressive, but I believe it's possible. For example,
>> disallow exec statements, the identifier "eval", any identifier of
>> __this__ form, import statements, etc. This is overly restrictive,
>> but it will provide security.
> By the time you're done with all that, you may as well design a new
> restricted language and interpret just that.
> e = vars()['__builtins__'].eval
> print e('2+2')
> Even Java keeps getting new holes found, and Python is not anywhere
> near Java when it comes to this kind of thing.
I don't think it's as difficult as you think. Your snippet of code
would be rejected by the rules I suggested. You'd also want to
prohibit other builtins like compile, execfile, input, reload, vars,
More information about the Python-list