Embedding Python in Python

JCM joshway at myway.com
Wed Aug 18 21:12:46 CEST 2004


Paul Rubin <http://phr.cx@nospam.invalid> wrote:
...
> There was a feature called rexec/Bastion for that purposes in older
> version of Python, but it was removed because it was insecure.

>> Any ideas/examples?

> Run your sensitive stuff in a separate process (or separate computer)
> and allow the hostile clients to communicate through sockets.

If you're concerned about security, another possibility is to parse
the user's code and look for anything potentially dangerous.  You'll
need to be aggressive, but I believe it's possible.  For example,
disallow exec statements, the identifier "eval", any identifier of
__this__ form, import statements, etc.  This is overly restrictive,
but it will provide security.



More information about the Python-list mailing list