On Oct 13, 8:36 am, lkcl <[EMAIL PROTECTED]> wrote: > On Oct 9, 4:32 am, "James Mills" <[EMAIL PROTECTED]> wrote: > > > On Thu, Oct 9, 2008 at 2:26 PM, Warren DeLano <[EMAIL PROTECTED]> wrote: > > > JSON rocks! Thanks everyone. > > > Yes it does :) > > > > Ben wrote: > > > >>More generally, you should never execute (via eval, exec, or whatever) > > >>*any* instruction from an untrusted path; especially not arbitrary > > >>data from an input stream. > > rubbish. this is why a project i was involved with, to do execution > of code from a database instead of a filesystem had to be abandoned, > back in 2001. > > there are perfectly good systems for associating security context > with "arbitrary data" (as the security models of SE/Linux, based on > Flask, and the security model of windows nt, based on VAX/VMS > security, show). > > there was a flawed design decision in python 2.2 or python 2.3 which > resulted in an "escape route" - i believe it centered around either > __class__ or __new__ - in the c code, which the developers had not > considered, and would not correct. > > this decision resulted in the abandonment of the rexec.py module in > python: you can see for yourself because it raises a runtime exception > when you try to use it, issuing a warning. > > it's _perfectly_ possible to define security contexts and boundaries, > and to allow access to functions and modules on a per-security-context > basis. > > *as defined by the application developer* [not by the developers of > python itself] > > if an individual developer wants to allow "arbitrary code execution > from any data stream", it most certainly is _not_ anyone's place to > dictate to them that they "cannot do this".
That's why eval and exec still exist (and will probably be around for a long time, if not forever). If you define your own external to python security contexts, what did the deprecated rexec buy you that eval/exec don't ? In any case, rexec is a single pure python module; nothing stops you from copying it over to your project, hacking it and keep using it at your own risk. George -- http://mail.python.org/mailman/listinfo/python-list
