Hannu Krosing wrote:
could we not just make sure that plpython uses python ver < 2.x and use
plpythonu for python versions >= 2.x until a secure regex solution comes
from Guido and folks ?

I guess most plpython users would be much happier with plpython with
some minor limitations due to older version than with being forced to
use an untrusted pl altogether.

But if rexec isn't safe they're just fooling themselves. There's only two kinds of safety for restricted environments: absolute and not. That's why the Python developers were honest and disabled rexec for now.

If you want to fool yourself, that's easy enough: ship a modified rexec.py with the 'raise RuntimeError, "This code is not secure ..."' removed ;-)

IIRC python 1.5.2 has a perfectly good RExec.

You are likely mistaken. Because I was interested in getting this problem solved for plpython and because most rexec problems are because of the new-style classes in Python 2.2 and later, I asked on comp.lang.python wether it was safe with 2.1 and earlier.

Martin von Löwis told me it probably wasn't in http://groups.google.com/groups?selm=m3y8ztib79.fsf%40mira.informatik.hu-berlin.de

Or is there a requirement that only latest language versions are used in
pg 74 ;)

No, but I find it hard to believe that PL/python is used by untrusted users at all, so making it untrusted might not really be a problem in real life.

-- Gerhard

PS: Thanks Kevin for submitting the PL/Python patch. I intended to make it available at least as an untrusted language, but you beat me :)

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?


Reply via email to