On 23.08.2012, at 17:07 , Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote: > I think Gregory's suggestion of using the python's ast module to limit the > sorts of syntax constructs that we accept in the build manifest files is a > great one. That would let us make python powerful enough for our needs, but > not more powerful. And we can easily advertize the build scripts as "python > files that only allow variable assignments and conditionals, etc." The > advantage of not inventing a new language is too high for us to give up, IMO.
Instead of using Python's ast module, you can also do a simple trick with the exec statement and limit the global scope and only allow certain whitelisted names. An example implementation is at https://gist.github.com/3437909. Download it as restricted.py, put it into a directory next to an empty Python file called evil.py and run "python restricted.py evil.py If your evil.py contains: CONST = True l = [1, 2, 3] if 1 in l: l.append(4) You get the pretty printed output: Globals {'__builtins__': {'False': False, 'None': None, 'True': True}, 'uname': ('Darwin', 'hanno-air.local', '12.0.0', 'Darwin Kernel Version 12.0.0: Sun Jun 24 23:00:16 PDT 2012; root:xnu-2050.7.9~1/RELEASE_X86_64', 'x86_64', 'i386')} Locals {'CONST': True, 'l': [1, 2, 3, 4]} I exposed platform.uname as uname to showcase how you could expose information about the current system. In the same way putting os.environ.copy() in there works as well. By default there's no import statement and no way to open files, or even just any of the exception names. You can define functions, but not classes. One could add a special import statement or some other function like "include" to allow re-use across files. You can achieve the same with the ast module, but I find that more difficult to read and understand than this approach. Hanno _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
