Steven Bethard wrote: > > I wish there was a way to, say, exec something with no builtins and with > import disabled, so you would have to specify all the available > bindings, e.g.: > > exec user_code in dict(ClassA=ClassA, ClassB=ClassB) > > but I suspect that even this wouldn't really solve the problem, because > you can do things like: > > py> class ClassA(object): > ... pass > ... > py> object, = ClassA.__bases__ > py> object > <type 'object'> > py> int = object.__subclasses__()[2] > py> int > <type 'int'> > > so you can retrieve a lot of the builtins. I don't know how to retrieve > __import__ this way, but as soon as you figure that out, you can then
> do pretty much anything you want to. > > Steve Steve Safe eval recipe posted to cookbook: http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/364469 Couldn't safe exec be programmed similarly? 'import' and 'from' are syntax, so trivially avoided Likewise, function calls are easily intercepted As you say, attribute access to core functions appears to present the challenge. It is easy to intercept attribute access, harder to know what's safe. If there were a known set of 'dangerous' objects e.g., sys, file, os etc... then these could be checked by identity against any attribute returned Of course, execution would be painfully slow, due to double - interpretation. Michael -- http://mail.python.org/mailman/listinfo/python-list