Hi, I'm extremely new to python, and am looking at using it as an embedded script engine in a dotnet project I'm working on. I'm currently playing with the "Python for Net" (http://www.zope.org/Members/Brian/PythonNet) stuff, and it seems to work well.
Googling for information on securing Python in a "sandbox" seems indicate that there are some built in features, but they aren't really trustworthy. Is that correct? For my purposes, I really just want to let users run in a sandbox, with access to only the language, manipuate a few published objects in the application (and perhaps give them some string and math libraries if applicable). I was wondering if it would be effective to pre-parse incoming scripts and reject those containing "import"? I'd also have the application inject the (short) list of trusted imports to the script before passing it to the interpreter. In theory I'm hoping this would mean script writers would have access to the stuff they need and no way to add in anything else. Would this sufficient? Are there any drawbacks or giant gaping holes? I'm anticipating that I'd also need to block 'exec' and 'eval' to prevent an import from being obfuscated past the pre-parse. Or is this a hopeless cause? Finally, either way, would anyone recommend a different script engine that might be more suitable for what I'm trying to accomplish that I might not have looked at. I don't need much; it needs to work with C#, and be able to easily interact with 'published' interface. I'd also like to leverage a "popular" language instead of something obscure. I also looked at Javascript, but couldn't find a way to embed an interpreter into a C# app. There's some CodeDom stuff with JScript, but that seemed backwards...overkill; I don't really want to compile temporary assemblies for hundreds of 2 and 3 line scripts... and the VSA stuff has been marked deprecated with no apparent successor... seems like I jumped into this at precisely the wrong time. :) Any thoughts, insights, or comments welcome. Forgive my lack of Python savvy... I've only been playing with it for a few hours now; after bumping into the "python for net" link. -regards, Dave -- http://mail.python.org/mailman/listinfo/python-list
