On Jan 16, 7:17 pm, Paul Rubin <http://phr...@nospam.invalid> wrote: > mario ruggier <mario.rugg...@gmail.com> writes: > > All the above attempts will be blocked this way. Any other disallow- > > sub-strings to add to the list above? > > I think what you are trying to do is fundamentally hopeless. You > might look at web.py (http://webpy.org) for another approach, that > puts a complete interpreter for a Python-like language into the > template engine.
Well, that is a bold statement... but maybe it is explained by what you refer to, so I did a cursory look. But I miss to notice any reference of an embedded "python-like language -- is there some sort of overview of how web.py implements this e.g. something like the equivalent of the doc describing how evoque implements it's sandbox: http://evoque.gizmojo.org/usage/restricted/ I get the feeling you may also be ignoring contextual factors... restricting the full python interpreter is not what we are talking about here, but templating systems (such as web.py?) that just allow embedding of any and all python code will require exactly that. And *that* may well seem fundamentally hopeless. Evoque chooses to allow only expressions, and those under a *managed* context. To make that secure is a whole different (smaller) task. -- http://mail.python.org/mailman/listinfo/python-list
