[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [pygame] Scripting language

To: pygame-users@xxxxxxxx
Subject: Re: [pygame] Scripting language
From: JoN <jon@xxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Dec 2006 11:46:05 +1100
Delivered-to: archiver@seul.org
Delivered-to: pygame-users-outgoing@seul.org
Delivered-to: pygame-users@seul.org
Delivery-date: Mon, 18 Dec 2006 19:41:35 -0500
In-reply-to: <347BF8DF-0C14-4B52-8A1D-A0B7DA8565F1@gmail.com>
References: <74a945120612162102s10cc1da8y31d50c4fa09d295e@mail.gmail.com> <e41aa83c0612180135y5ecd9a72s3e334eeb2e540e9@mail.gmail.com> <74a945120612180941v74dda2a8lb654a52789c0de83@mail.gmail.com> <200612190803.08935.richardjones@optushome.com.au> <EF8048E6-3744-4167-B3EA-3B8FCAF9A1ED@gmail.com> <499A3636-7197-4AF9-9565-56D5BB82F1F6@hispeed.ch> <7F73F842-E1FD-464E-B12B-744D2B96B371@gmail.com> <73F6B199-DE97-492E-93BE-50AC0810A7F8@hispeed.ch> <458723C6.1050408@pld-linux.org> <A124ED7E-CFD1-4C8C-B1AB-35335026B95D@hispeed.ch> <fdcd12710612181614p21fee5b7g6590e101233de2b@mail.gmail.com> <347BF8DF-0C14-4B52-8A1D-A0B7DA8565F1@gmail.com>
Reply-to: pygame-users@xxxxxxxx
Sender: owner-pygame-users@xxxxxxxx
User-agent: Internet Messaging Program (IMP) 3.1

This is something I'm very interested in.
I'm wondering if Van Rossum is thinking about this these days, but he's been
close-lipped about it on the searches I've done so far.

You can restrict access to imported classes and methods by fiddling with
Properties, kinda easily enough, but then how to apply an access model to it?
Particularly in a PyThreads environment, which is what I'm looking at.

Guess this is well off-topic for pygame but thought I'd throw some petrol on the
fire.

Jon


Quoting Brandon N <kordova@xxxxxxxxx>:

> I've been reading up on perspective broker since you emailed it and I  
> think a solution of that sort is the most likely that I will end up  
> with.
> 
> As for the examples you have posted, I had a rudimentary Python-like  
> scripting language I've been building that is translated to Python  
> after validation (against things like forever loops, unregistered  
> function calls and the like), but I agree that no amount of work will  
> really close the gaping holes that exist for abuse my malicious and  
> unknowing users.
> 
> Cheers,
>    Brandon
> 
> On Dec 18, 2006, at 7:14 PM, robomancer wrote:
> 
> >> I like the way Brian just sent before. I dont know any language that
> >> restricts its usage (would be neat feature for certain projects).
> >
> > Perl has "taint mode".  When enabled, Perl won't let you do any
> > "dangerous" operations (file accesses, system calls, etc) on data that
> > originally came from the user and hasn't been processed to remove its
> > "taintedness".
> >
> > On the other hand, allowing people to run arbitrary code on your
> > machine is a Bad Idea even if you *can* ensure that the filesystem
> > isn't touched.  What if they send any of the following?
> >
> > while True:
> >  pass
> >
> > def fib(n):
> >  return fib(n-1) + fib(n-2)
> > fib(1000000)
> >
> > def steal_data():
> >  send_to_client("127.0.0.1", pickle.dump(confidential.data.structure)
> >
> > There are just so many ways to exploit arbitrary code execution, from
> > malicious data corruption to denial-of-service to buffer-overflow
> > exploits (yes, this is possible even from within Python, if you use
> > any buggy C extension modules)... it's *really* not a good idea.  A
> > lot of very smart people have worked hard to solve this sort of
> > problem, and not made much progress.
> >
> > I either recommend having an explicit server/client API and forcing
> > people to use that API (whether it's invoked via Perspective Broker as
> > I suggested earlier, or something more standard like XML-RPC, CORBA,
> > or SOAP), or not allowing a "scripting language" at all, instead
> > opting for something like customizable configuration files that aren't
> > Turing-complete.
> 
> 




--------------------------------------------------------------------
Come and visit Web Prophets Website at http://www.webprophets.net.au

References:
- [pygame] map format
  - From: spotter .
- Re: [pygame] map format
  - From: Chris Smith
- Re: [pygame] map format
  - From: spotter .
- Re: [pygame] map format
  - From: Richard Jones
- [pygame] Scripting language
  - From: Brandon N
- Re: [pygame] Scripting language
  - From: Farai Aschwanden
- Re: [pygame] Scripting language
  - From: Brandon N
- Re: [pygame] Scripting language
  - From: Farai Aschwanden
- Re: [pygame] Scripting language
  - From: Jakub Piotr CÅapa
- Re: [pygame] Scripting language
  - From: Farai Aschwanden
- Re: [pygame] Scripting language
  - From: robomancer
- Re: [pygame] Scripting language
  - From: Brandon N

Prev by Author: Re: [pygame] Scripting language
Next by Author: Re: [pygame] Incarnation
Previous by thread: Re: [pygame] Scripting language
Next by thread: Re: [pygame] Scripting language
Index(es):
- Author
- Thread