Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #15972
| From | Christian Heimes <lists@cheimes.de> |
|---|---|
| Subject | Re: Server Questions (2 of them) |
| Date | 2011-11-21 01:27 +0100 |
| References | <4c5cedc5-65e4-4bca-a7fe-7afffde79c88@s6g2000vbc.googlegroups.com> <8762iesc3q.fsf@xemacs.org> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.2881.1321835300.27778.python-list@python.org> (permalink) |
Am 20.11.2011 22:44, schrieb Hrvoje Niksic:
> Andrew <andrew.chapkowski@gmail.com> writes:
>
>> How to do you create a server that accepts a set of user code?
> [...]
>
> Look up the "exec" statement, the server can use it to execute any code
> received from the client as a string.
>
> Note "any code", though; exec runs in no sandbox and if a malicious
> client defines addition(1, 2) to execute os.system('sudo rm -rf /'), the
> server will happily do just that.
It's possible to sandbox Python code, see
http://docs.python.org/library/rexec.html,
http://code.activestate.com/recipes/496746-restricted-safe-eval/ or TTW
code (through the web) in Zope. However the sandboxing is limited and
you really need to know what you are doing.
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Server Questions (2 of them) Andrew <andrew.chapkowski@gmail.com> - 2011-11-20 12:02 -0800
Re: Server Questions (2 of them) Chris Angelico <rosuav@gmail.com> - 2011-11-21 08:34 +1100
Re: Server Questions (2 of them) Hrvoje Niksic <hniksic@xemacs.org> - 2011-11-20 22:44 +0100
Re: Server Questions (2 of them) Christian Heimes <lists@cheimes.de> - 2011-11-21 01:27 +0100
Re: Server Questions (2 of them) alex23 <wuwei23@gmail.com> - 2011-11-20 20:26 -0800
Re: Server Questions (2 of them) Nizamov Shawkat <nizamov.shawkat@gmail.com> - 2011-11-21 07:28 +0100
csiph-web