Untrusted python code

Paul Rubin http
Sun Sep 23 21:31:51 CEST 2007


Thomas Dybdahl Ahle <lobais at gmail.com> writes:
> Hi, I have an application for which I want users to be able to make 
> themes.
> I've planed a rather advanced model (in xml), which gives themes the 
> option to redefine various drawing methods.
> Now I don't want those themes to be able to take over the current user, 
> but I'd still like the scripts to be able to import stuff like math.
> Is there a way to ensure no IO and other dangerous stuff is done?

No.  There used to be something called rexec/bastion but it was
removed because it was insecure.

You might look at http://webpy.org which is a web kit written in
Python, that has its own sandboxed interpreter for a Python-like
user templating language, for doing what you're doing. 

You could also consider using something like client side XSLT.



More information about the Python-list mailing list