Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.lang.python > #15972

Re: Server Questions (2 of them)

From Christian Heimes <lists@cheimes.de>
Subject Re: Server Questions (2 of them)
Date 2011-11-21 01:27 +0100
References <4c5cedc5-65e4-4bca-a7fe-7afffde79c88@s6g2000vbc.googlegroups.com> <8762iesc3q.fsf@xemacs.org>
Newsgroups comp.lang.python
Message-ID <mailman.2881.1321835300.27778.python-list@python.org> (permalink)

Show all headers | View raw


Am 20.11.2011 22:44, schrieb Hrvoje Niksic:
> Andrew <andrew.chapkowski@gmail.com> writes:
> 
>> How to do you create a server that accepts a set of user code?
> [...]
> 
> Look up the "exec" statement, the server can use it to execute any code
> received from the client as a string.
> 
> Note "any code", though; exec runs in no sandbox and if a malicious
> client defines addition(1, 2) to execute os.system('sudo rm -rf /'), the
> server will happily do just that.

It's possible to sandbox Python code, see
http://docs.python.org/library/rexec.html,
http://code.activestate.com/recipes/496746-restricted-safe-eval/ or TTW
code (through the web) in Zope. However the sandboxing is limited and
you really need to know what you are doing.

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

Server Questions (2 of them) Andrew <andrew.chapkowski@gmail.com> - 2011-11-20 12:02 -0800
  Re: Server Questions (2 of them) Chris Angelico <rosuav@gmail.com> - 2011-11-21 08:34 +1100
  Re: Server Questions (2 of them) Hrvoje Niksic <hniksic@xemacs.org> - 2011-11-20 22:44 +0100
    Re: Server Questions (2 of them) Christian Heimes <lists@cheimes.de> - 2011-11-21 01:27 +0100
      Re: Server Questions (2 of them) alex23 <wuwei23@gmail.com> - 2011-11-20 20:26 -0800
  Re: Server Questions (2 of them) Nizamov Shawkat <nizamov.shawkat@gmail.com> - 2011-11-21 07:28 +0100

csiph-web