> Basically I just want a language to allow users to write macros,
> interact with application objects, set property values, sequence
> operations, supporting loops and branch logic and so forth.
>
> Something along the lines of a drawing program that allowed uers to
> write and/or download scr
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> 42 wrote:
> > FWIW I've already given up on making python secure. I agree that odds
> > are extremely high that I've missed something. I'm just curious to see
> > what one of the holes I left is, preferably without wading through
> > h
42 wrote:
> FWIW I've already given up on making python secure. I agree that odds
> are extremely high that I've missed something. I'm just curious to see
> what one of the holes I left is, preferably without wading through
> hundreds of pages :)
f = [x for x in [].__class__.__bases__[0].__subc
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> 42 wrote:
> > I was planning on "sanitizing" the language instead of relying on rexec
> > and bastion so issues with them shouldn't be relevant.
>
> I think in dealing with security, deciding what might be relevant before
> you fully u
42 wrote:
> I was planning on "sanitizing" the language instead of relying on rexec
> and bastion so issues with them shouldn't be relevant.
I think in dealing with security, deciding what might be relevant before
you fully understand the problem is somewhat premature... but it's your
neck. :-)
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> 42 wrote:
> > Or is this a hopeless cause?
> >
> > Finally, either way, would anyone recommend a different script engine
> > that might be more suitable for what I'm trying to accomplish that I
> > might not have looked at. I don't nee
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> 42 wrote:
> > But for what its worth, I *am* curious what sorts of holes persist. I
> > did try googling the archives, but with no idea what I'm looking for --
> > python security brings up a mess of unrelated issues... Python in
> > A
42 wrote:
> Or is this a hopeless cause?
>
> Finally, either way, would anyone recommend a different script engine
> that might be more suitable for what I'm trying to accomplish that I
> might not have looked at. I don't need much; it needs to work with C#,
> and be able to easily interact wi
42 wrote:
> But for what its worth, I *am* curious what sorts of holes persist. I
> did try googling the archives, but with no idea what I'm looking for --
> python security brings up a mess of unrelated issues... Python in
> Apache, rexec/bastion stuff, xss, issues with infinite loops and many
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> Clearly, Pyton does not directly offer any kind of useful security sandbox
> capability, but since Java does, I suppose JPython is an option. I know there
> are a lot of downsides to JPython, but it should be a genuine solution to the
>
42 wrote:
> Fair enough. I'm more or less ready to 'give up' on this fantasy of
> python in a sandbox. I'll either use something else, or just accept the
> risk. :)
But is the scripting language interpreter the right place to put
this? After all, any most languages would allow you to write
somet
Clearly, Pyton does not directly offer any kind of useful security sandbox
capability, but since Java does, I suppose JPython is an option. I know there
are a lot of downsides to JPython, but it should be a genuine solution to the
sandbox problem.
On Sat, 20 Aug 2005 10:21:06 GMT, 42 <[EMAIL PROT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> 42 wrote:
> > Thoughts? Still gaping holes?
>
> Certainly. And rather than rehash them all here, I'm going to suggest
> you check the comp.lang.python archives for any of the many past
> discussions about this before you spend too muc
42 wrote:
> Thoughts? Still gaping holes?
Certainly. And rather than rehash them all here, I'm going to suggest
you check the comp.lang.python archives for any of the many past
discussions about this before you spend too much time thinking
(repeatedly) that you've nailed that one last hole onl
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> 42 wrote:
> > I was wondering if it would be effective to pre-parse incoming scripts
> > and reject those containing "import"?
>
> getattr(__builtins__, '__imp' + 'ort__')('dangerousmodule')
>
See that's sort of thing I'm talking abou
42 wrote:
> I was wondering if it would be effective to pre-parse incoming scripts
> and reject those containing "import"?
getattr(__builtins__, '__imp' + 'ort__')('dangerousmodule')
--
http://mail.python.org/mailman/listinfo/python-list
42 <[EMAIL PROTECTED]> writes:
> I want the 'worst case' a malicious script to be able to accompish to be
> a program crash or hang.
You should not rely on Python to provide any kind of security from
malicious users who can run Python scripts.
--
http://mail.python.org/mailman/listinfo/python-
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> > Would this sufficient? Are there any drawbacks or giant gaping holes?
> > I'm anticipating that I'd also need to block 'exec' and 'eval' to
> > prevent an import from being obfuscated past the pre-parse.
> >
> > Or is this a hopeless
> Googling for information on securing Python in a "sandbox" seems
> indicate that there are some built in features, but they aren't really
> trustworthy. Is that correct?
>
> For my purposes, I really just want to let users run in a sandbox, with
> access to only the language, manipuate a few publ
42 <[EMAIL PROTECTED]> writes:
> Googling for information on securing Python in a "sandbox" seems
> indicate that there are some built in features, but they aren't really
> trustworthy. Is that correct?
Yes.
> For my purposes, I really just want to let users run in a sandbox, with
> access to
> Would this sufficient? Are there any drawbacks or giant gaping holes?
> I'm anticipating that I'd also need to block 'exec' and 'eval' to
> prevent an import from being obfuscated past the pre-parse.
>
> Or is this a hopeless cause?
Yes. There have been numerous discussions about this, and t
Hi,
I'm extremely new to python, and am looking at using it as an embedded
script engine in a dotnet project I'm working on. I'm currently playing
with the "Python for Net" (http://www.zope.org/Members/Brian/PythonNet)
stuff, and it seems to work well.
Googling for information on securing Pyth
22 matches
Mail list logo
