Security test of embedded Python
Paul Rubin
no.email at nospam.invalid
Tue Jun 21 22:02:03 EDT 2011
Chris Angelico <rosuav at gmail.com> writes:
> users to supply scripts which will then run on our servers...
> The environment is Python 3.3a0 embedded in C++, running on Linux.
This doesn't sound like a bright idea, given the well-known difficulty
of sandboxing Python.
Geordi <http://weegen.home.xs4all.nl/eelis/geordi/> has some interesting
examples (C++) you might want to try translating to Python and running
on your server. It uses ptrace to control the execution of potentially
hostile code. I don't know if any exploits have been found or whether
it's still active.
Maybe you want to look at Lua. IMHO it's not a very nice language, but
I've heard that it's easy to embed and sandbox.
More information about the Python-list
mailing list