有没有“安全"?用作嵌入式脚本语言的 Python 子集? [英] Is there a "safe" subset of Python for use as an embedded scripting language?

问题描述

在我创建的许多 Python 应用程序中，我经常创建简单的模块，只包含用作配置文件的常量.此外，因为配置文件实际上是一个 Python 代码文件，我可以添加简单的逻辑来根据调试级别等更改变量.

In the many Python applications I've created, I often create simple modules containing nothing but constants to be used as config files. Additionally, because the config file is actually a Python code file, I can add simple logic for changing variables depending on a debug level, etc.

虽然这对内部应用程序非常有用，但我会警惕将此类应用程序发布到野外，因为担心有人意外或恶意地将破坏性代码添加到文件中.使用 Python 作为嵌入式脚本语言也是如此.

While this works great for internal applications, I'd be wary about releasing such applications into the wild for fear of someone either accidentally, or maliciously, adding destructive code to the file. The same would hold true for using Python as an embedded scripting language.

是否有一个 Python 子集被认为是安全的"嵌入?我意识到它可以被认为是多么安全是相当主观的.但是，Java Applets 和 Flash 都有明确定义的安全沙箱.我想知道是否有类似规则的 Python 版本?

Is there a subset of Python that is deemed "safe" for embedding? I realize how safe it can be considered is fairly subjective. However, Java Applets and Flash both have their security sandbox well defined. I'm wondering if there's a version of Python that has similar rules?

我的要求不是因为配置文件方法，而是因为我有兴趣在较新的应用程序中实现一些脚本/插件机制并且不想要插件或脚本能够，说，删除文件.这超出了应用程序应该能够做的范围.

I'm asking not so much because of the config file approach, but because I'm interested in implementing some scripting/plugin mechanisms into a newer app and don't want a plugin or script to be able to, say, delete files. That goes beyond the scope of what the application should be able to do.

推荐答案

这里有几个链接可以让您了解您所面临的问题:

Here are a couple of links to give you an idea on what you're up against:

• 如何安全地运行不受信任的 Python 脚本(即沙箱)
• Python 功能? Guido 本人莉>

• How can I run an untrusted Python script safely (i.e. Sandbox)
• Capabilities for Python? by Guido himself

在 http://code.google.com 上还有一个死的谷歌代码项目/p/sandbox-python/

这篇关于有没有“安全"?用作嵌入式脚本语言的 Python 子集?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！