Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #27208 > unrolled thread

Re: remote read eval print loop

Back to article view | Back to comp.lang.python

This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by below is the oldest one visible, not the original post.

Contents

  Re: remote read eval print loop Chris Angelico <rosuav@gmail.com> - 2012-08-17 08:43 +1000
    Re: remote read eval print loop Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2012-08-17 02:27 +0000
      Re: remote read eval print loop Alister <alister.ware@ntlworld.com> - 2012-08-17 06:38 +0000
      Re: remote read eval print loop Chris Angelico <rosuav@gmail.com> - 2012-08-17 17:25 +1000
        Re: remote read eval print loop rusi <rustompmody@gmail.com> - 2012-08-17 04:09 -0700
          Re: remote read eval print loop Chris Angelico <rosuav@gmail.com> - 2012-08-18 00:06 +1000

#27208 — Re: remote read eval print loop

On Fri, Aug 17, 2012 at 6:54 AM, Eric Frederich
<eric.frederich@gmail.com> wrote:
> Hello,
>
> I have a bunch of Python bindings for a 3rd party software running on the
> server side.
> I can add client side extensions that communicate over some http / xml type
> requests.
> So I can define functions that take a string and return a string.
> I would like to get a simple read eval print loop working.

Let's stop *right there*. You're looking for something that will run
on your server, take strings of text from a remote computer, and eval
them.

Please, please, please, on behalf of every systems administrator in
the world I beg you, please do not do this.

Instead, define your own high-level protocol and have your server
respond to that. One excellent way to keep things tidy is to use a
'command, parameters, newline' model: each line of text is one
instruction, consisting of a command word, then optionally parameters
after a space, then a newline. It's easy to debug, easy to read in
your code, and makes sense to anyone who's used a command-line
interface.

Six months from now, when your server still hasn't been compromised,
you'll appreciate the extra design effort :)

Chris Angelico

[toc] | [next] | [standalone]

#27219

On Fri, 17 Aug 2012 08:43:50 +1000, Chris Angelico wrote:

> On Fri, Aug 17, 2012 at 6:54 AM, Eric Frederich
> <eric.frederich@gmail.com> wrote:
>> Hello,
>>
>> I have a bunch of Python bindings for a 3rd party software running on
>> the server side.
>> I can add client side extensions that communicate over some http / xml
>> type requests.
>> So I can define functions that take a string and return a string. I
>> would like to get a simple read eval print loop working.
> 
> Let's stop *right there*. You're looking for something that will run on
> your server, take strings of text from a remote computer, and eval them.
> 
> Please, please, please, on behalf of every systems administrator in the
> world I beg you, please do not do this.
> 
> Instead, define your own high-level protocol 

Stop right there!

There is already awesome protocols for running Python code remotely over 
a network. Please do not re-invent the wheel without good reason.

See pyro, twisted, rpyc, rpclib, jpc, and probably many others.




-- 
Steven

[toc] | [prev] | [next] | [standalone]

#27224

On Fri, 17 Aug 2012 02:27:42 +0000, Steven D'Aprano wrote:

> On Fri, 17 Aug 2012 08:43:50 +1000, Chris Angelico wrote:
> 
>> On Fri, Aug 17, 2012 at 6:54 AM, Eric Frederich
>> <eric.frederich@gmail.com> wrote:
>>> Hello,
>>>
>>> I have a bunch of Python bindings for a 3rd party software running on
>>> the server side.
>>> I can add client side extensions that communicate over some http / xml
>>> type requests.
>>> So I can define functions that take a string and return a string. I
>>> would like to get a simple read eval print loop working.
>> 
>> Let's stop *right there*. You're looking for something that will run on
>> your server, take strings of text from a remote computer, and eval
>> them.
>> 
>> Please, please, please, on behalf of every systems administrator in the
>> world I beg you, please do not do this.
>> 
>> Instead, define your own high-level protocol
> 
> Stop right there!
> 
> There is already awesome protocols for running Python code remotely over
> a network. Please do not re-invent the wheel without good reason.
> 
> See pyro, twisted, rpyc, rpclib, jpc, and probably many others.

I think you missed the main point of the previous post which was.

Do NOT blindly eval data sent from a remote computer as is cannot be 
trusted. This of course is assuming they are not on a secure connection, 
but even then it is good practice as not all attacks come from outside.

although i have to agree with you about not re-inventing wheels, they 
invariably come out square :-)



-- 
<Kensey> RMS for President???
<RelDrgn> ...or ESR, he wants a new job ;)

[toc] | [prev] | [next] | [standalone]

#27225

On Fri, Aug 17, 2012 at 12:27 PM, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> There is already awesome protocols for running Python code remotely over
> a network. Please do not re-invent the wheel without good reason.
>
> See pyro, twisted, rpyc, rpclib, jpc, and probably many others.

But they're all tools for building protocols. I like to make
line-based protocols that don't need middle-layers, you might like to
use RPC, doesn't matter; either way, neither of us is sending
untrusted code across the internet and executing it.

By all means, use pyro instead of plain sockets to build your
protocol; you still don't need a read/eval/print loop to run across a
network.

Personally, I'm of the opinion that simple text-based protocols are
usually sufficient, and much easier to debug - heavier things like RPC
tend to be overkill. But as Alister pointed out, my main point was not
about the details of how you design your protocol.

ChrisA

[toc] | [prev] | [next] | [standalone]

#27232

On Aug 17, 12:25 pm, Chris Angelico <ros...@gmail.com> wrote:
> On Fri, Aug 17, 2012 at 12:27 PM, Steven D'Aprano
>
> <steve+comp.lang.pyt...@pearwood.info> wrote:
> > There is already awesome protocols for running Python code remotely over
> > a network. Please do not re-invent the wheel without good reason.
>
> > See pyro, twisted, rpyc, rpclib, jpc, and probably many others.
>
> But they're all tools for building protocols. I like to make
> line-based protocols

Dont know if this is relevant.  If it is, its more in the heavyweight
direction.
Anyway just saw this book yesterday

http://springpython.webfactional.com/node/39

[toc] | [prev] | [next] | [standalone]

#27242

On Fri, Aug 17, 2012 at 11:28 PM, Eric Frederich
<eric.frederich@gmail.com> wrote:
> Within the debugging console, after importing all of the bindings, there
> would be no reason to import anything whatsoever.
> With just the bindings I created and the Python language we could do
> meaningful debugging.
> So if I block the ability to do any imports and calls to eval I should be
> safe right?

Nope. Python isn't a secured language in that way. I tried the same
sort of thing a while back, but found it effectively impossible. (And
this after people told me "It's not possible, don't bother trying". I
tried anyway. It wasn't possible.)

If you really want to do that, consider it equivalent to putting an
open SSH session into your debugging console. Would you give that much
power to your application's users? And if you would, is it worth
reinventing SSH?

ChrisA

[toc] | [prev] | [standalone]

Back to top | Article view | comp.lang.python

csiph-web