Hi there, I'm doing a system where I want the users to be able to
set/change some scripts that are dynamically run(RPG like scripts).
So a user can change the way the Kill_a_player script is run.
I thought of doing this by using exec, like this:
class Script(models.Model):
> script_py = models.TextField(u"Script Python")
>
> class Meta:
> app_label = 'scripts'
def run(self,**kwargs):
> ret= None
> #prepares the args
> for key, val in kwargs.items():
> exec("%s = val"%key)
> exec(self.script_py)
> return ret
So that I can do:
s = Script()
s.script_py = """character.kill(another_character)
character.win_exp()
ret = character.lvl"""
new_lvl = s.run(character = some_player, another_character = another_player)
This all works just fine, but the problem is the security risk of the
exec...
So the user could do:
> s.script_py = "import os; os.system('shutdown -P 0')
And that's the smallest problem...
So I was thinking if there is already something like that implemented, and
that I can add to my project easily, and found this PythonScript from Zope,
that does something like that.
I just don't know if that is easily portable to another project, and if I'm
going to get what I want using this(let the users change the way the script
is ran). There is not much use if the users can only do : *"a + b = c"*
*
*
I also came across this post http://lybniz2.sourceforge.net/safeeval.html and
was thinking if there is something like that in exec.
I friend of mine also have said that you can limit what the users can
import and use in some function(that I don't remember now).
Thanks for the help.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/django-users/-/8sUd9186CNIJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
