Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Python: Python

remote read eval print loop

 

 

Python python RSS feed   Index | Next | Previous | View Threaded


eric.frederich at gmail

Aug 16, 2012, 1:54 PM

Post #1 of 10 (655 views)
Permalink
remote read eval print loop

Hello,

I have a bunch of Python bindings for a 3rd party software running on the
server side.
I can add client side extensions that communicate over some http / xml type
requests.
So I can define functions that take a string and return a string.
I would like to get a simple read eval print loop working.

Without adding a bunch of syntax checking on the client side can I get the
behavior of the regular interpreter?
What I mean is things like going from >>> to ... after you start a block
(like if, while, for, etc).

Is this possible or can I not send over one line at a time and I'd have to
send over a complete block?

Thanks,
~Eric


rosuav at gmail

Aug 16, 2012, 3:43 PM

Post #2 of 10 (648 views)
Permalink
Re: remote read eval print loop [In reply to]

On Fri, Aug 17, 2012 at 6:54 AM, Eric Frederich
<eric.frederich [at] gmail> wrote:
> Hello,
>
> I have a bunch of Python bindings for a 3rd party software running on the
> server side.
> I can add client side extensions that communicate over some http / xml type
> requests.
> So I can define functions that take a string and return a string.
> I would like to get a simple read eval print loop working.

Let's stop *right there*. You're looking for something that will run
on your server, take strings of text from a remote computer, and eval
them.

Please, please, please, on behalf of every systems administrator in
the world I beg you, please do not do this.

Instead, define your own high-level protocol and have your server
respond to that. One excellent way to keep things tidy is to use a
'command, parameters, newline' model: each line of text is one
instruction, consisting of a command word, then optionally parameters
after a space, then a newline. It's easy to debug, easy to read in
your code, and makes sense to anyone who's used a command-line
interface.

Six months from now, when your server still hasn't been compromised,
you'll appreciate the extra design effort :)

Chris Angelico
--
http://mail.python.org/mailman/listinfo/python-list


steve+comp.lang.python at pearwood

Aug 16, 2012, 7:27 PM

Post #3 of 10 (650 views)
Permalink
Re: remote read eval print loop [In reply to]

On Fri, 17 Aug 2012 08:43:50 +1000, Chris Angelico wrote:

> On Fri, Aug 17, 2012 at 6:54 AM, Eric Frederich
> <eric.frederich [at] gmail> wrote:
>> Hello,
>>
>> I have a bunch of Python bindings for a 3rd party software running on
>> the server side.
>> I can add client side extensions that communicate over some http / xml
>> type requests.
>> So I can define functions that take a string and return a string. I
>> would like to get a simple read eval print loop working.
>
> Let's stop *right there*. You're looking for something that will run on
> your server, take strings of text from a remote computer, and eval them.
>
> Please, please, please, on behalf of every systems administrator in the
> world I beg you, please do not do this.
>
> Instead, define your own high-level protocol

Stop right there!

There is already awesome protocols for running Python code remotely over
a network. Please do not re-invent the wheel without good reason.

See pyro, twisted, rpyc, rpclib, jpc, and probably many others.




--
Steven
--
http://mail.python.org/mailman/listinfo/python-list


alister.ware at ntlworld

Aug 16, 2012, 11:38 PM

Post #4 of 10 (646 views)
Permalink
Re: remote read eval print loop [In reply to]

On Fri, 17 Aug 2012 02:27:42 +0000, Steven D'Aprano wrote:

> On Fri, 17 Aug 2012 08:43:50 +1000, Chris Angelico wrote:
>
>> On Fri, Aug 17, 2012 at 6:54 AM, Eric Frederich
>> <eric.frederich [at] gmail> wrote:
>>> Hello,
>>>
>>> I have a bunch of Python bindings for a 3rd party software running on
>>> the server side.
>>> I can add client side extensions that communicate over some http / xml
>>> type requests.
>>> So I can define functions that take a string and return a string. I
>>> would like to get a simple read eval print loop working.
>>
>> Let's stop *right there*. You're looking for something that will run on
>> your server, take strings of text from a remote computer, and eval
>> them.
>>
>> Please, please, please, on behalf of every systems administrator in the
>> world I beg you, please do not do this.
>>
>> Instead, define your own high-level protocol
>
> Stop right there!
>
> There is already awesome protocols for running Python code remotely over
> a network. Please do not re-invent the wheel without good reason.
>
> See pyro, twisted, rpyc, rpclib, jpc, and probably many others.

I think you missed the main point of the previous post which was.

Do NOT blindly eval data sent from a remote computer as is cannot be
trusted. This of course is assuming they are not on a secure connection,
but even then it is good practice as not all attacks come from outside.

although i have to agree with you about not re-inventing wheels, they
invariably come out square :-)



--
<Kensey> RMS for President???
<RelDrgn> ...or ESR, he wants a new job ;)
--
http://mail.python.org/mailman/listinfo/python-list


rosuav at gmail

Aug 17, 2012, 12:25 AM

Post #5 of 10 (648 views)
Permalink
Re: remote read eval print loop [In reply to]

On Fri, Aug 17, 2012 at 12:27 PM, Steven D'Aprano
<steve+comp.lang.python [at] pearwood> wrote:
> There is already awesome protocols for running Python code remotely over
> a network. Please do not re-invent the wheel without good reason.
>
> See pyro, twisted, rpyc, rpclib, jpc, and probably many others.

But they're all tools for building protocols. I like to make
line-based protocols that don't need middle-layers, you might like to
use RPC, doesn't matter; either way, neither of us is sending
untrusted code across the internet and executing it.

By all means, use pyro instead of plain sockets to build your
protocol; you still don't need a read/eval/print loop to run across a
network.

Personally, I'm of the opinion that simple text-based protocols are
usually sufficient, and much easier to debug - heavier things like RPC
tend to be overkill. But as Alister pointed out, my main point was not
about the details of how you design your protocol.

ChrisA
--
http://mail.python.org/mailman/listinfo/python-list


rustompmody at gmail

Aug 17, 2012, 4:09 AM

Post #6 of 10 (648 views)
Permalink
Re: remote read eval print loop [In reply to]

On Aug 17, 12:25 pm, Chris Angelico <ros...@gmail.com> wrote:
> On Fri, Aug 17, 2012 at 12:27 PM, Steven D'Aprano
>
> <steve+comp.lang.pyt...@pearwood.info> wrote:
> > There is already awesome protocols for running Python code remotely over
> > a network. Please do not re-invent the wheel without good reason.
>
> > See pyro, twisted, rpyc, rpclib, jpc, and probably many others.
>
> But they're all tools for building protocols. I like to make
> line-based protocols

Dont know if this is relevant. If it is, its more in the heavyweight
direction.
Anyway just saw this book yesterday

http://springpython.webfactional.com/node/39
--
http://mail.python.org/mailman/listinfo/python-list


eric.frederich at gmail

Aug 17, 2012, 6:28 AM

Post #7 of 10 (646 views)
Permalink
Re: remote read eval print loop [In reply to]

What I wanted to implement was a debugging console that runs right on the
client rather than on the server.
You'd have to be logged into the application to do anything meaningful or
even start it up.
All of the C functions that I created bindings for respect the security of
the logged in user.

Within the debugging console, after importing all of the bindings, there
would be no reason to import anything whatsoever.
With just the bindings I created and the Python language we could do
meaningful debugging.
So if I block the ability to do any imports and calls to eval I should be
safe right?

On Fri, Aug 17, 2012 at 7:09 AM, rusi <rustompmody [at] gmail> wrote:

> On Aug 17, 12:25 pm, Chris Angelico <ros...@gmail.com> wrote:
> > On Fri, Aug 17, 2012 at 12:27 PM, Steven D'Aprano
> >
> > <steve+comp.lang.pyt...@pearwood.info> wrote:
> > > There is already awesome protocols for running Python code remotely
> over
> > > a network. Please do not re-invent the wheel without good reason.
> >
> > > See pyro, twisted, rpyc, rpclib, jpc, and probably many others.
> >
> > But they're all tools for building protocols. I like to make
> > line-based protocols
>
> Dont know if this is relevant. If it is, its more in the heavyweight
> direction.
> Anyway just saw this book yesterday
>
> http://springpython.webfactional.com/node/39
> --
> http://mail.python.org/mailman/listinfo/python-list
>


rosuav at gmail

Aug 17, 2012, 7:06 AM

Post #8 of 10 (647 views)
Permalink
Re: remote read eval print loop [In reply to]

On Fri, Aug 17, 2012 at 11:28 PM, Eric Frederich
<eric.frederich [at] gmail> wrote:
> Within the debugging console, after importing all of the bindings, there
> would be no reason to import anything whatsoever.
> With just the bindings I created and the Python language we could do
> meaningful debugging.
> So if I block the ability to do any imports and calls to eval I should be
> safe right?

Nope. Python isn't a secured language in that way. I tried the same
sort of thing a while back, but found it effectively impossible. (And
this after people told me "It's not possible, don't bother trying". I
tried anyway. It wasn't possible.)

If you really want to do that, consider it equivalent to putting an
open SSH session into your debugging console. Would you give that much
power to your application's users? And if you would, is it worth
reinventing SSH?

ChrisA
--
http://mail.python.org/mailman/listinfo/python-list


maniandram01 at gmail

Aug 18, 2012, 6:48 AM

Post #9 of 10 (645 views)
Permalink
Re: remote read eval print loop [In reply to]

Not really. Try modifying ast.literal_eval. This will be quite secure.

On 17 August 2012 19:36, Chris Angelico <rosuav [at] gmail> wrote:

> On Fri, Aug 17, 2012 at 11:28 PM, Eric Frederich
> <eric.frederich [at] gmail> wrote:
> > Within the debugging console, after importing all of the bindings, there
> > would be no reason to import anything whatsoever.
> > With just the bindings I created and the Python language we could do
> > meaningful debugging.
> > So if I block the ability to do any imports and calls to eval I should be
> > safe right?
>
> Nope. Python isn't a secured language in that way. I tried the same
> sort of thing a while back, but found it effectively impossible. (And
> this after people told me "It's not possible, don't bother trying". I
> tried anyway. It wasn't possible.)
>
> If you really want to do that, consider it equivalent to putting an
> open SSH session into your debugging console. Would you give that much
> power to your application's users? And if you would, is it worth
> reinventing SSH?
>
> ChrisA
> --
> http://mail.python.org/mailman/listinfo/python-list
>


eric.frederich at gmail

Aug 21, 2012, 6:22 AM

Post #10 of 10 (625 views)
Permalink
Re: remote read eval print loop [In reply to]

This isn't really for users. It is for developers like me.
Yes it is a security hole but again, it is a debugger.

The people who will be using it can all ssh into the server machine with
the same ID that the server process is running on.
In fact, this is quite normal.

As it is right now, we log into these machines and start an interactive
Python and use the bindings to debug things.
This works well most of the time but when you do that you need to start
another session of the application.
It is useful to run code interactively from within an actual client session
where something has gone wrong.

In any case.... I got this working with a rudimentary SWT Java client
(yuck, but the application is based on Eclipse).

Below is the code I used. It has a singleton interactive console object.
I sub-classed it and defined another method "process" which simply calls
the "push" method after wrapping stdout and stderr.
It returns anything that was printed to stdout, stderr, and the return
value of the "push" method.

So now from the client I can process one line at a time and it behaves much
like the real interactive console... you wouldn't even realize there is all
this client / server / WSDL / xml / https junk going on.

############ BEGIN CODE

import sys
from code import InteractiveConsole

class MyBuffer(object):
def __init__(self):
self.buffer = []
def write(self, data):
self.buffer.append(data)
def get(self):
ret = ''.join(self.buffer)
self.buffer = []
return ret

class MyInteractiveConsole(InteractiveConsole):

def __init__(self, *args, **kwargs):
InteractiveConsole.__init__(self, *args, **kwargs)
self.mb_out = MyBuffer()
self.mb_err = MyBuffer()

def process(self, s):
sys.stdout, sys.stderr = self.mb_out, self.mb_err
more = self.push(s)
sys.stdout, sys.stderr = sys.__stdout__, sys.__stderr__
return self.mb_out.get(), self.mb_err.get(), more

print 'creating new interactive console'
mic = MyInteractiveConsole()


On Fri, Aug 17, 2012 at 10:06 AM, Chris Angelico <rosuav [at] gmail> wrote:

> On Fri, Aug 17, 2012 at 11:28 PM, Eric Frederich
> <eric.frederich [at] gmail> wrote:
> > Within the debugging console, after importing all of the bindings, there
> > would be no reason to import anything whatsoever.
> > With just the bindings I created and the Python language we could do
> > meaningful debugging.
> > So if I block the ability to do any imports and calls to eval I should be
> > safe right?
>
> Nope. Python isn't a secured language in that way. I tried the same
> sort of thing a while back, but found it effectively impossible. (And
> this after people told me "It's not possible, don't bother trying". I
> tried anyway. It wasn't possible.)
>
> If you really want to do that, consider it equivalent to putting an
> open SSH session into your debugging console. Would you give that much
> power to your application's users? And if you would, is it worth
> reinventing SSH?
>
> ChrisA
> --
> http://mail.python.org/mailman/listinfo/python-list
>

Python python RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.