Embedding a restricted python interpreter
dieter at handshake.de
Mon Jan 17 20:11:48 CET 2005
Paul Rubin <http://phr.cx@NOSPAM.invalid> writes on 08 Jan 2005 14:56:43 -0800:
> Dieter Maurer <dieter at handshake.de> writes:
> > It uses a specialized compiler that prevents dangerous bytecode operations
> > to be generated and enforces a restricted builtin environment.
> Does it stop the user from generating his own bytecode strings and
> demarshalling them?
Almost surely, I do not understand you:
In the standard setup, the code has no access to most
of Python's runtime library. Only a few selected modules
are deemed to be safe and can be imported (and used) in
"RestrictedPython". "marshal" or "unmarshal" are not considered safe.
Security Declaration can be used to make more modules importable -- but
then, this is an explicite decision by the application developper.
*If* the framework decided to exchange byte code between
user and iterpreter, then there would be no security at
all, because the interpreter is the standard interpreter
and security is built into the compilation process.
Of course, you should not step in *after* the secured step ;-)
Thus, "RestrictedPython" expects that the user sends
Python source code (and not byte code!), it compiles
this source code into byte code that enforces a strict
access and facility policy.
More information about the Python-list