From: Mark N. <mar...@au...> - 2005-12-23 22:14:36
|
Alan G Isaac wrote: >>On Fri, Dec 23, 2005, Alan G Isaac wrote: >> >>>How about a Python evaluation directive instead, only >>>accepting a string as a return value, again only for >>>substitutions. >> > > On Fri, 23 Dec 2005, Aahz apparently wrote: > >>No. This has been hashed out over and over and over >>again: no Python allowed in documents for standard reST. >>(Obviously, people can write their own extensions to allow >>it, and I have.) This is way way too big a security hole. >>Just start with ``open('/etc/passwd', 'w')``. > > > > An 'eval' directive could be disabled by default but still > exist for the convenience of users, who would have to enable > it explicitly. Like write18 in TeX. What I did with the Perl reSt tool was allowed a Perl directive that operates within a "use Safe" box so that it can't do anything that might be dangerous, but can still do any safe operations, like computations. I don't know if Python has an equivalent to "use Safe". These safety restrictions can be lifted only by specifying "-D trusted" on the command line, the typing of which means that the person running the tool assumes explicit responsibility for anything that may go wrong. --Mark |