Path: csiph.com!x330-a1.tempe.blueboxinc.net!newsfeed.hal-mli.net!feeder3.hal-mli.net!nx02.iad01.newshosting.com!newshosting.com!news-out.octanews.net!indigo.octanews.net!auth.beige.octanews.com.POSTED!not-for-mail From: Paul Rubin Newsgroups: comp.lang.python Subject: Re: Security test of embedded Python References: Date: Tue, 21 Jun 2011 19:02:03 -0700 Message-ID: <7xhb7i7hes.fsf@ruckus.brouhaha.com> Organization: Nightsong/Fort GNOX User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) Cancel-Lock: sha1:hTF+1VQxlFgnuL0ja3Uly+VJZYA= MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Lines: 15 NNTP-Posting-Date: 21 Jun 2011 21:02:03 CDT X-Complaints-To: abuse@octanews.net Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:8163 Chris Angelico writes: > users to supply scripts which will then run on our servers... > The environment is Python 3.3a0 embedded in C++, running on Linux. This doesn't sound like a bright idea, given the well-known difficulty of sandboxing Python. Geordi has some interesting examples (C++) you might want to try translating to Python and running on your server. It uses ptrace to control the execution of potentially hostile code. I don't know if any exploits have been found or whether it's still active. Maybe you want to look at Lua. IMHO it's not a very nice language, but I've heard that it's easy to embed and sandbox.