Path: csiph.com!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <lars@rational-it.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.006
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'security.': 0.09; 'subject:()': 0.09; 'to:addr:comp.lang.python': 0.09; 'cc:addr :python-list': 0.10; '(like': 0.15; '"lambda"': 0.16; "'body'": 0.16; '(must': 0.16; 'anyway).': 0.16; 'fine.': 0.16; 'lambda': 0.16; 'limit,': 0.16; 'oct': 0.16; 'programmatic': 0.16; 'programmers.': 0.16; 'screening': 0.16; 'wrote:': 0.17; 'instance,': 0.17; 'memory': 0.18; 'sort': 0.21; 'fairly': 0.21; 'cheers,': 0.23; 'cc:2**0': 0.23; 'cc:no real name:2**0': 0.24; 'cc:addr:python.org': 0.25; 'header:In-Reply-To:1': 0.25; 'header :User-Agent:1': 0.26; 'common': 0.26; 'leave': 0.26; 'extend': 0.26; 'am,': 0.27; 'designer': 0.27; 'errors.': 0.27; 'in.': 0.27; 'chris': 0.28; 'loop,': 0.29; 'van': 0.29; 'probably': 0.29; 'fri,': 0.30; 'thursday,': 0.30; 'code': 0.31; 'gets': 0.32; 'point,': 0.33; 'handle': 0.33; 'everyone': 0.33; 'version': 0.34; 'received:google.com': 0.34; 'received:209.85.220': 0.35; 'received:209.85': 0.35; 'add': 0.36; 'actions': 0.36; 'should': 0.36; 'october': 0.37; 'option': 0.37; 'received:209': 0.37; 'subject:: ': 0.38; 'some': 0.38; 'help': 0.40; 'your': 0.60; 'customer': 0.61; "you'll": 0.62; 'stuck': 0.65; 'account': 0.67; 'eight': 0.71; 'sounds': 0.71; 'designers': 0.75; 'informed': 0.75; 'flexible,': 0.84
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=path:newsgroups:date:in-reply-to:complaints-to:injection-info :nntp-posting-host:references:user-agent:x-google-web-client :x-google-ip:mime-version:message-id:subject:from:to:cc:content-type :content-transfer-encoding:x-gm-message-state; bh=qywcgwhfoiKNfIxAcLdtt23I3gtTwxej/m+MgTFB0po=; b=NoSh7AYm9ITKQB/hewddMn0hhfRCMoFlnDZG7WU9H9oA7GQGbLMOPmtuweMvALVCC+ oscSfSCYi1gZepLAEUE6xpOg/kGKwnlrE4JHNXDhniY3xivqanFu+dGc7ShFzLz6RXpc oQpFlnt+NfSoRyVfSe8izlmJuBN47+1qmECMMb+w2p5aSrAP6rXGRVsgegCfA8jSK9E/ 1U7gYNHlG82t9MVtvELfHmZ1qJIBdWnYeGN+4LCrC1s413ggZL7+jgyXNvAerlVICbg9 Q+fRZscMYmzgzGNTQmhuIcbBWLHYXbQo8E6YkhZZ9G8v3D7UNV24IOk0Ao3WtvP6+X9I ptvQ==
Newsgroups: comp.lang.python
Date: Fri, 19 Oct 2012 16:43:40 -0700 (PDT)
In-Reply-To: <mailman.2446.1350573409.27098.python-list@python.org>
Complaints-To: groups-abuse@google.com
Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=94.209.206.24; posting-account=gpkyRAoAAABlPh1mY6Zt264UpMjIbxAz
References: <2f12fa83-54cc-4fc2-85e4-b8aebebf4242@googlegroups.com> <mailman.2425.1350560975.27098.python-list@python.org> <05702a47-ff6b-4589-8352-d21b1921e77e@googlegroups.com> <mailman.2438.1350570579.27098.python-list@python.org> <2e5df7eb-7781-4c32-a9a7-088be940a4d3@googlegroups.com> <mailman.2446.1350573409.27098.python-list@python.org>
User-Agent: G2/1.0
X-Google-Web-Client: true
X-Google-IP: 94.209.206.24
MIME-Version: 1.0
Subject: Re: use of exec()
From: lars van gemerden <lars@rational-it.com>
To: comp.lang.python@googlegroups.com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQn46eYtuC6lRypbqIzop0XgVkCaIShob/plPEgel7It+ZItIJlsrbfpFwWuqzbtSPWPvgGr
Cc: python-list@python.org
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Message-ID: <mailman.2542.1350690230.27098.python-list@python.org>
Lines: 41
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1350690230 news.xs4all.nl 6906 [2001:888:2000:d::a6]:35906
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:31784

On Thursday, October 18, 2012 5:16:50 PM UTC+2, Chris Angelico wrote:
> On Fri, Oct 19, 2012 at 2:00 AM, lars van gemerden <lars@rational-it.com>=
 wrote:
>=20
> > I get your point, since in this case having the custom code option make=
s the system a whole lot less complex and flexible, i will leave the option=
 in. The future customer will be informed that they should handle the secur=
ity around the designers as if they were programmers. Aditionally i will pr=
obably add some screening for unwanted keywords (like 'import') and securel=
y log any new/changed custom code including the designer account (must do t=
hat for other actions anyway).
>=20
>=20
>=20
> That sounds like a reasonable implementation of Layer Eight security.
>=20
> As long as everyone understands that this code can do ANYTHING, you'll
>=20
> be fine.
>=20
>=20
>=20
> You may want to add some other programmatic checks, though; for
>=20
> instance, a watchdog timer in case the code gets stuck in an infinite
>=20
> loop, or a memory usage limit, or somesuch. Since you're no longer
>=20
> worrying about security, this sort of thing will be fairly easy, and
>=20
> will be just to help catch common errors.
>=20
>=20
>=20
> ChrisA

Do you have any ideas about to what extend the "lambda" version of the code=
 (custom code is only the 'body' of the lambda function) has the same issue=
s?

Cheers, Lars