Thanks for the feedback. I'll iron out the cross-browser
compatibility issues at some point.
So the code is running in a servlet, but I was under the impression
that since it's essentially compiling and evaluating Java code on the
fly, one could actually reconfigure the application if they really
wanted to. My assumption was that if the interpreter was using my
custom classloader, I could control which classes can be accessed when
the script is evaluated. But I'm really unsure of how the interpreter
any PySystemState work together. Can you elaborate on what you mean
by a servlet sandbox?
On Sat, Mar 13, 2010 at 11:11 AM, Josh Juneau <juneau001@...> wrote:
> Nice! It is definitely handy to have a tool such as this at your disposal.
> I did notice that it only works in Firefox though...I'm using a Mac. I
> first tried to use it with Safari and it didn't work. I noticed similar
> are always a pain. All of that aside, this works nicely in Firefox and is
> very cool.
> Regarding the sandboxing...I haven't had a chance to look at your code. Are
> you running a servlet here? If so, maybe a servlet sandbox would take care
> of some issues...such as prohibiting alteration of your application code.
> Hope this helps, and thanks for the cool app.
> Josh Juneau
> Twitter ID: javajuneau
> On Fri, Mar 12, 2010 at 1:05 PM, Tom Nichols <tmnichols@...> wrote:
>> Hello again, Jython community,
>> I'd first like to point out an early version of the Python web console:
>> Powered by Jython! This is similar to TryPython, except more in the
>> spirit of the Groovy Web Console where scripts can be published and
>> I know, the irony level is pretty high here, but I thought it could be
>> a good showcase for Jython. However, I'm not entirely comfortable
>> with the level of sandboxing done for scripts currently. If I _want_
>> my scripts to run in a totally isolated environment, with an isolated
>> classloader (so that generated classes can be thrown away,) how would
>> I do that? As I mentioned before, I'm not clear on how to set a
>> classloader per PythonInterpreter instance, and it appears that a
>> static classloader is used. Will defined classes eventually pile up
>> over time and never be GC'd?
>> If anyone can point to documentation or give advice on how to properly
>> isolate and sandbox scripts, that would be great. In addition, please
>> feel free to play with the console, tell your friends, and report any
>> bugs and suggestions for improvement back to me.
>> The full source can be downloaded from github as well:
>> 2010/3/4 Tom Nichols <tmnichols@...>:
>> > Hi Jython community,
>> > I'm trying to determine how one would sandbox an untrusted Jython
>> > script evaluated with PythonInterpreter.
>> > So far I've figured out that I can create a new PythonInterpreter with
>> > a new PySystemState every time, which will discard locals after every
>> > script execution. However I've noticed that PySystemState uses a lot
>> > of static fields to keep track of various things. Is it possible for
>> > an evaluated python script to affect some static portions of
>> > PySystemState?
>> > A secondary question is how to restrict scripts from accessing classes
>> > that are part of the application. I don't want scripts to modify my
>> > data model or reconfigure the web server. It looks like PySystemState
>> > takes two classloaders in its static initialize routine -- are one of
>> > them used to load classes that are referenced from evaluated scripts?
>> > Some context -- I'm attempting to write an online python script
>> > interpreter, similar to TryPython, TryRuby, and the Groovy Web
>> > Console. Actually I want this to be more like the Groovy Web Console
>> > where users can publish and share scripts. I teach an intro to Python
>> > class and I want my students to share scripts that they've created.
>> > The app itself will run on Google AppEngine (ironically not the Python
>> > runtime, since that is apparently more difficult to sandbox). Since
>> > Jython is meant to be embedded, I'm hoping someone has figured out how
>> > to sandbox it properly.
>> > Thanks in advance for the advice.
>> > -Tom
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> Jython-users mailing list