42 wrote: > I was planning on "sanitizing" the language instead of relying on rexec > and bastion so issues with them shouldn't be relevant.
I think in dealing with security, deciding what might be relevant before you fully understand the problem is somewhat premature... but it's your neck. :-) > I'm curious about the 'other' stuff that was alluded to, that could > still occur in a python with all its __import__, import, exec, eval, and > various reflection/metadata builtins prohibited (e.g. getattr)... Okay, but are you saying that combining those keywords with "security" when searching comp.lang.python in Google Groups produced no useful results? When I do it, I generally get to threads where somebody rushes in with suggestions about how to add security where the core Python people fear to tread (so to speak), and after a short period of back and forth where each idea is quickly shot down, the thread sort of dies out as (I suspect) the OP realizes the problems are fundamental and probably can't be fixed without changes to the Python core itself, or at least can't be fixed *with confidence* without a thorough security audit which so far nobody has valued enough to actually do. -Peter -- http://mail.python.org/mailman/listinfo/python-list
