On Fri, Aug 17, 2012 at 11:28 PM, Eric Frederich <eric.freder...@gmail.com> wrote: > Within the debugging console, after importing all of the bindings, there > would be no reason to import anything whatsoever. > With just the bindings I created and the Python language we could do > meaningful debugging. > So if I block the ability to do any imports and calls to eval I should be > safe right?
Nope. Python isn't a secured language in that way. I tried the same sort of thing a while back, but found it effectively impossible. (And this after people told me "It's not possible, don't bother trying". I tried anyway. It wasn't possible.) If you really want to do that, consider it equivalent to putting an open SSH session into your debugging console. Would you give that much power to your application's users? And if you would, is it worth reinventing SSH? ChrisA -- http://mail.python.org/mailman/listinfo/python-list
