Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > Re: remote read eval print loop

Reply
Thread Tools

Re: remote read eval print loop

 
 
Chris Angelico
Guest
Posts: n/a
 
      08-16-2012
On Fri, Aug 17, 2012 at 6:54 AM, Eric Frederich
<(E-Mail Removed)> wrote:
> Hello,
>
> I have a bunch of Python bindings for a 3rd party software running on the
> server side.
> I can add client side extensions that communicate over some http / xml type
> requests.
> So I can define functions that take a string and return a string.
> I would like to get a simple read eval print loop working.


Let's stop *right there*. You're looking for something that will run
on your server, take strings of text from a remote computer, and eval
them.

Please, please, please, on behalf of every systems administrator in
the world I beg you, please do not do this.

Instead, define your own high-level protocol and have your server
respond to that. One excellent way to keep things tidy is to use a
'command, parameters, newline' model: each line of text is one
instruction, consisting of a command word, then optionally parameters
after a space, then a newline. It's easy to debug, easy to read in
your code, and makes sense to anyone who's used a command-line
interface.

Six months from now, when your server still hasn't been compromised,
you'll appreciate the extra design effort

Chris Angelico
 
Reply With Quote
 
 
 
 
Steven D'Aprano
Guest
Posts: n/a
 
      08-17-2012
On Fri, 17 Aug 2012 08:43:50 +1000, Chris Angelico wrote:

> On Fri, Aug 17, 2012 at 6:54 AM, Eric Frederich
> <(E-Mail Removed)> wrote:
>> Hello,
>>
>> I have a bunch of Python bindings for a 3rd party software running on
>> the server side.
>> I can add client side extensions that communicate over some http / xml
>> type requests.
>> So I can define functions that take a string and return a string. I
>> would like to get a simple read eval print loop working.

>
> Let's stop *right there*. You're looking for something that will run on
> your server, take strings of text from a remote computer, and eval them.
>
> Please, please, please, on behalf of every systems administrator in the
> world I beg you, please do not do this.
>
> Instead, define your own high-level protocol


Stop right there!

There is already awesome protocols for running Python code remotely over
a network. Please do not re-invent the wheel without good reason.

See pyro, twisted, rpyc, rpclib, jpc, and probably many others.




--
Steven
 
Reply With Quote
 
 
 
 
Chris Angelico
Guest
Posts: n/a
 
      08-17-2012
On Fri, Aug 17, 2012 at 12:27 PM, Steven D'Aprano
<(E-Mail Removed)> wrote:
> There is already awesome protocols for running Python code remotely over
> a network. Please do not re-invent the wheel without good reason.
>
> See pyro, twisted, rpyc, rpclib, jpc, and probably many others.


But they're all tools for building protocols. I like to make
line-based protocols that don't need middle-layers, you might like to
use RPC, doesn't matter; either way, neither of us is sending
untrusted code across the internet and executing it.

By all means, use pyro instead of plain sockets to build your
protocol; you still don't need a read/eval/print loop to run across a
network.

Personally, I'm of the opinion that simple text-based protocols are
usually sufficient, and much easier to debug - heavier things like RPC
tend to be overkill. But as Alister pointed out, my main point was not
about the details of how you design your protocol.

ChrisA
 
Reply With Quote
 
rusi
Guest
Posts: n/a
 
      08-17-2012
On Aug 17, 12:25*pm, Chris Angelico <(E-Mail Removed)> wrote:
> On Fri, Aug 17, 2012 at 12:27 PM, Steven D'Aprano
>
> <(E-Mail Removed)> wrote:
> > There is already awesome protocols for running Python code remotely over
> > a network. Please do not re-invent the wheel without good reason.

>
> > See pyro, twisted, rpyc, rpclib, jpc, and probably many others.

>
> But they're all tools for building protocols. I like to make
> line-based protocols


Dont know if this is relevant. If it is, its more in the heavyweight
direction.
Anyway just saw this book yesterday

http://springpython.webfactional.com/node/39
 
Reply With Quote
 
Chris Angelico
Guest
Posts: n/a
 
      08-17-2012
On Fri, Aug 17, 2012 at 11:28 PM, Eric Frederich
<(E-Mail Removed)> wrote:
> Within the debugging console, after importing all of the bindings, there
> would be no reason to import anything whatsoever.
> With just the bindings I created and the Python language we could do
> meaningful debugging.
> So if I block the ability to do any imports and calls to eval I should be
> safe right?


Nope. Python isn't a secured language in that way. I tried the same
sort of thing a while back, but found it effectively impossible. (And
this after people told me "It's not possible, don't bother trying". I
tried anyway. It wasn't possible.)

If you really want to do that, consider it equivalent to putting an
open SSH session into your debugging console. Would you give that much
power to your application's users? And if you would, is it worth
reinventing SSH?

ChrisA
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Triple nested loop python (While loop insde of for loop inside ofwhile loop) Isaac Won Python 9 03-04-2013 10:08 AM
eval('07') works, eval('08') fails, why? Alex van der Spek Python 6 01-08-2009 08:24 PM
Different behavior between eval "07" and eval "08" Liang Wang Perl Misc 8 02-02-2008 08:31 PM
DataBinder.Eval and Eval. craigkenisston@hotmail.com ASP .Net 1 06-16-2006 05:33 PM
DataBinder.Eval for an object's property property... like Eval(Container.DataItem,"Version.Major") Eric Newton ASP .Net 3 04-04-2005 10:11 PM



Advertisments