Hannu Krosing wrote:
> could we not just make sure that plpython uses python ver < 2.x and use
> plpythonu for python versions >= 2.x until a secure regex solution comes
> from Guido and folks ?
>
> I guess most plpython users would be much happier with plpython with
> some minor limitations due to older version than with being forced to
> use an untrusted pl altogether.
But if rexec isn't safe they're just fooling themselves. There's only
two kinds of safety for restricted environments: absolute and not.
That's why the Python developers were honest and disabled rexec for now.
If you want to fool yourself, that's easy enough: ship a modified
rexec.py with the 'raise RuntimeError, "This code is not secure ..."'
removed ;-)
> IIRC python 1.5.2 has a perfectly good RExec.
You are likely mistaken. Because I was interested in getting this
problem solved for plpython and because most rexec problems are because
of the new-style classes in Python 2.2 and later, I asked on
comp.lang.python wether it was safe with 2.1 and earlier.
Martin von Löwis told me it probably wasn't in
http://groups.google.com/groups?selm=m3y8ztib79.fsf%40mira.informatik.hu-berlin.de
> Or is there a requirement that only latest language versions are used in
> pg 74 ;)
No, but I find it hard to believe that PL/python is used by untrusted
users at all, so making it untrusted might not really be a problem in
real life.
-- Gerhard
PS: Thanks Kevin for submitting the PL/Python patch. I intended to make
it available at least as an untrusted language, but you beat me :)