是否有“安全"的提示?用作嵌入式脚本语言的Python子集? [英] Is there a "safe" subset of Python for use as an embedded scripting language?
问题描述
在我创建的许多Python应用程序中,我经常创建简单的模块,除了常量之外,这些模块只用作配置文件.另外,由于配置文件实际上是Python代码文件,因此我可以添加简单的逻辑以根据调试级别等来更改变量.
In the many Python applications I've created, I often create simple modules containing nothing but constants to be used as config files. Additionally, because the config file is actually a Python code file, I can add simple logic for changing variables depending on a debug level, etc.
尽管这对于内部应用程序非常有效,但我担心将此类应用程序发布到野外时会担心某些人会意外地或恶意地向文件中添加破坏性代码.使用Python作为嵌入式脚本语言也是如此.
While this works great for internal applications, I'd be wary about releasing such applications into the wild for fear of someone either accidentally, or maliciously, adding destructive code to the file. The same would hold true for using Python as an embedded scripting language.
是否存在被视为安全"嵌入的Python子集?我意识到可以考虑它的安全性是相当主观的.但是,Java Applet和Flash的安全沙箱都定义明确.我想知道是否存在具有类似规则的Python版本?
Is there a subset of Python that is deemed "safe" for embedding? I realize how safe it can be considered is fairly subjective. However, Java Applets and Flash both have their security sandbox well defined. I'm wondering if there's a version of Python that has similar rules?
编辑:我不是因为配置文件方法而要求太多,而是因为我有兴趣在更新的应用程序中实现一些脚本/插件机制,并且不需要插件或脚本,例如可以删除文件.这超出了应用程序应能执行的范围.
I'm asking not so much because of the config file approach, but because I'm interested in implementing some scripting/plugin mechanisms into a newer app and don't want a plugin or script to be able to, say, delete files. That goes beyond the scope of what the application should be able to do.
推荐答案
以下是几个链接,可让您大致了解自己要面对的问题:
Here are a couple of links to give you an idea on what you're up against:
- Python的功能? li>
- How can I run an untrusted Python script safely (i.e. Sandbox)
- Capabilities for Python? by Guido himself
在 http://code.google.com上还有一个无效的Google代码项目./p/sandbox-python/
这篇关于是否有“安全"的提示?用作嵌入式脚本语言的Python子集?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
