From: Randy P. <ran...@re...> - 2003-09-15 18:53:18
|
> String rule = //get rule string from the database > PythonInterpreter pi = new PythonInterpreter(); > pi.set("aPerson.address.zipcode", aPerson.address.zipcode); > pi.set("aPerson.address.countryCode", aPerson.address.countryCode); > PyObject po = pi.eval(rule); Be careful. There is a security risk in letting users type in Python code as a input String, and evaluating that code. Here are some links: http://mail.python.org/pipermail/python-bugs-list/2001-November/008236.html http://diveintomark.org/archives/2002/01/04/eval_is_evil |
From: Dave C. <da...@cr...> - 2003-09-16 08:16:21
|
Hi Renato, I don't think your line pi.set("aPerson.address.zipcode", aPerson.address.zipcode); would work, off te top of my head. Rather, you'd need to use pi.set("aPythonPerson", aPerson); and then access the nested variables using jython as >>>myzip=3DaPythonPerson.address.zipcode Changing the scripted name to 'aPythonPerson' isan't necessary, of course= =2E=20 They can have the same name as the java variable, I just altered that to=20 avoid ambiguity in my example. You'll need to parse the user's input line somehow to extract the variabl= e=20 names from the rule. Depends how complex they are, if it's just nested=20 booleans, you could probably get away with regular expressions (I like th= e=20 apache ORO ones, but that's just my preferences and habits). Alternatively, get the user to explicitly set the names of the variables=20 somehow, and write the booleans in python-compatible syntax, then just ev= al=20 the whole line in one go. Surely that's the simplest way? (And if you nee= d to=20 use 'and' rather than '&&', why not use a regex to substitute between tho= se=20 before you eval?) Where do they define 'aPerson' before writing its name down in the rule?=20 Wherever it is, you must have some internal data structure that knows its= =20 name and a reference to the variable. Can't you call the PythonInterprete= r=20 from there? Hope that helps Dave Crane Sunwheel Technologies Ltd Bristol, UK > Hi everybody: > > I've just touch a problem but can't figure out if I can accomplish a > solution using Jython. > > 1) A user writes a string containinig a description of a rule in a web = page > form. For instance the user type: > "(aPerson.address.zipcode =3D=3D 9215) and (aPerson.address.countryCode= =3D=3D 25)" > 2) The string is saved into a database for later user > 3) PythonInterpreter loads this string and have to figure out how to > travers the "aPerson.address.zipcode" and "aPerson.address.countryCode" > wich reside in the Java namespace (ie: outside PythonInterpreter) and > evaluate the rule with the founded values. > > I've just read some documentation about the use of PythonInterpreter an= d > seems to me that the only way PythonInterpreter can be aware of what > variables it can work with is by the use of "PythonInterpreter.set(...)= " > method. > > The problem with the use of "PythonInterpreter.set(java.lang.String nam= e, > java.lang.Object value)" for my needs is that I can't hardcode neither = the > "name" nor the "value" objects required because I can't anticipate the > user's needs. > > For example when the user decides to write the rule > "(aPerson.address.zipcode =3D=3D 9215) and (aPerson.address.countryCode= =3D=3D 25)" > then the code should be something like this: > ------------------------------------------------------------------- > String rule =3D //get rule string from the database > PythonInterpreter pi =3D new PythonInterpreter(); > pi.set("aPerson.address.zipcode", aPerson.address.zipcode); > pi.set("aPerson.address.countryCode", aPerson.address.countryCode); > PyObject po =3D pi.eval(rule); > ------------------------------------------------------------------- > > What if a user later decide to write this "(aPerson.address.postalCode = =3D=3D > 25)" ? The code should be something like this: > > ------------------------------------------------------------------- > PythonInterpreter pi =3D new PythonInterpreter(); > pi.set("aPerson.address.postalCode", aPerson.address.postalCode); > PyObject po =3D pi.eval(rule); > ------------------------------------------------------------------- > > > I can't anticipate all the posible combinations and set variables > accordingly to the PythonInterpreter. > > I there any way PythonInterpreter be aware of its outside context witho= ut > explicitly telling it "what's going on". Any other approach to solve th= is > problem is welcome. > > Thanks > > Renato Salas |
From: Renato S. <rs...@vo...> - 2003-09-15 19:19:25
|
Hi Randy: The security risks would be minimized by showing the user a list of possible objects to use and also validating it's use on both the client side and the server side. Also, the syntax the user will have would be totally different from Jython, so a parsing mechanism will also help to minimize security risks. The need call java object from within PythonInterpreter without adding it to the local namespace is still needed. Thanks a lot Renato Salas -----Mensaje original----- De: jyt...@li... [mailto:jyt...@li...]En nombre de Randy Pond Enviado el: Monday, September 15, 2003 1:53 PM Para: jyt...@li... Asunto: [Jython-users] Re: Dynamic invocation of Java objects within PythonInterpreter > String rule = //get rule string from the database > PythonInterpreter pi = new PythonInterpreter(); > pi.set("aPerson.address.zipcode", aPerson.address.zipcode); > pi.set("aPerson.address.countryCode", aPerson.address.countryCode); > PyObject po = pi.eval(rule); Be careful. There is a security risk in letting users type in Python code as a input String, and evaluating that code. Here are some links: http://mail.python.org/pipermail/python-bugs-list/2001-November/008236.html http://diveintomark.org/archives/2002/01/04/eval_is_evil ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Jython-users mailing list Jyt...@li... https://lists.sourceforge.net/lists/listinfo/jython-users |