Re: PythonScript(Zope) like in a django app, any tips?

Sun, 15 Apr 2012 03:58:55 -0700 

Check out PyPy Sandboxing, it may be your best bet:

http://pypy.org/features.html#sandboxing


On Saturday, 14 April 2012 11:45:41 UTC-5, Arruda wrote:
>
> Hi there, I'm doing a system where I want the users to be able to 
> set/change some scripts that are dynamically run(RPG like scripts).
> So a user can change the way the Kill_a_player script is run.
>
> I thought of doing this by using exec, like this:
>
>
> class Script(models.Model):
>>     script_py = models.TextField(u"Script Python")
>>     
>>     class Meta:
>>         app_label = 'scripts'
>
>  
>
>  
>
>     def run(self,**kwargs):
>>         ret= None
>>         #prepares the args
>>         for key, val in kwargs.items():
>>             exec("%s = val"%key)    
>>         exec(self.script_py)
>>         return ret
>
>
> So that I can do:
>
> s = Script() 
>
> s.script_py = """character.kill(another_character)
>
>                         character.win_exp()
>
>                         ret = character.lvl"""
>
>  
>
> new_lvl = s.run(character = some_player, another_character = 
>> another_player)
>
>  
> This all works just fine, but the problem is the security risk of the 
> exec...
> So the user could do:
>
>> s.script_py = "import os; os.system('shutdown -P 0')
>
>
>  And that's the smallest problem...
> So I was thinking if there is already something like that implemented, and 
> that I can add to my project easily, and found this PythonScript from Zope, 
> that does something like that.
>
> I just don't know if that is easily portable to another project, and if 
> I'm going to get what I want using this(let the users change the way the 
> script is ran). There is not much use if the users can only do : *"a + b 
> = c"*
> *
> *
> I also came across this post http://lybniz2.sourceforge.net/safeeval.html and 
> was thinking if there is something like that in exec.
> I friend of mine also have said that you can limit what the users can 
> import and use in some function(that I don't remember now).
>
> Thanks for the help.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/django-users/-/8ebW_NjxELkJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Reply via email to