On Fri, Apr 3, 2009 at 1:06 PM, Anand Balachandran Pillai < abpil...@gmail.com> wrote:
> > > On Fri, Apr 3, 2009 at 12:53 PM, Anand Chitipothu <anandol...@gmail.com>wrote: > >> 2009/4/3 Noufal Ibrahim <nou...@gmail.com>: >> > There was a thread on python-dev recently about sandboxing code by >> > restricting the variables provided. A lot of people broke it (you can >> > check the archives for "break this code" or something similar). >> >> This one? >> >> http://mail.python.org/pipermail/python-dev/2009-February/086401.html >> >> > In any case, if you deny people the ability to use __import__, then >> > any functions that call import will fail. Whether that's a good >> > practice is questionable but that's the state of affairs. >> >> It does restrict people from using imports, but it doesn't restrict >> calling functions which use import. >> >> The problem with the mentioned code is that an implicit import is >> getting called in the current env. If that import is inside that >> function then it wouldn't be an issue. > > > Use this work-around. > > # Save the name __import__ > __import__ = __builtins__.__import__ > __builtins = {} > > import datetime > now = datetime.datetime.utcnow() > print now.strftime("%m %Y") > > This works. Do this at the top of all modules which is dependent > on your code which breaks __builtin__. > Retracted. I was testing wrong code :) It should be __builtins__, not __builtins, in which case it fails...! However you can do the same thing and inject the __import__ name after your modification. Like, code = generate_code(template) __import__ = __builtins__.__import__ custom_builtins.__import__ = __import__ env = {'__builtins__': custom_builtins} exec(code, env) ? > > >> _______________________________________________ >> BangPypers mailing list >> BangPypers@python.org >> http://mail.python.org/mailman/listinfo/bangpypers >> > > > > -- > -Anand > > > > -- -Anand
_______________________________________________ BangPypers mailing list BangPypers@python.org http://mail.python.org/mailman/listinfo/bangpypers
