Indeed there are small security problems and big ones. The use of eval or exec can cause real big problems. I'll try to show that in private. Not here... I'm not sure to do such a hack but if the actual version uses exec or eval, it would be possible.
My remark is just to help and not to criticize freely. Sorry for my English because this is not my natural language. Best regards. Christophe Le 4 nov. 2013 09:46, "Nils Bruin" <nbr...@sfu.ca> a écrit : > On Sunday, November 3, 2013 11:19:45 PM UTC-8, projetmbc wrote: >> >> The use of AST is a pretty way BUT you must not use *eval* or *exec*because >> of real security issues. It's easy to find explanations about that >> on the web. >> > > If you read these explanations, you'll see that by the same logic, you > shouldn't run a notebook server because of real security issues (and if you > don't understand that, then you should indeed not run a notebook server > accessible to other people). The code that is input into a notebook is > already run via something equivalent to exec (try and think of another way > of letting sage do what it does). The code proposed is not less secure than > what we're already doing in the notebook. > > -- > You received this message because you are subscribed to the Google Groups > "sage-support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-support+unsubscr...@googlegroups.com. > To post to this group, send email to sage-support@googlegroups.com. > Visit this group at http://groups.google.com/group/sage-support. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "sage-support" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-support+unsubscr...@googlegroups.com. To post to this group, send email to sage-support@googlegroups.com. Visit this group at http://groups.google.com/group/sage-support. For more options, visit https://groups.google.com/groups/opt_out.
