CJI said:Well, sandboxing, if done well, is secure... But I really don't like the idea. You reduce danger of executing harmful code, but at the same time you greatly reduce functionality available in scripts. I just checked, out of curiosity, and this code worked:
import win32api
world.Note( win32api.GetComputerName() )
It means that almost all WinAPI calls are directly accessible from my python scripts. I could create new window (threading works to some extent - just accessing "world" object crashes MUSHClient, so I could really create another system-level window and do anything with it!), paint on the desktop, register (with pyHook) callback to intercept mouse and keyboard messages - system-wide (which is good, sometimes - and bad, if I want to write keylogger and convince someone to use my script...). And many, many more cool things, if I felt like refreshing my WinAPI skills.
If Python was properly sandboxed, this would (or at least should) be impossible. I'm not sure I really want to trade this functionality for security, especially considering that NOW it works that way and no one complains ;P
Well, yes. That's what makes it a good application language. And if the host program doesn't need to be very secure, sandboxing is completely optional (though I question how easy it would be to sandbox Python, too).
And the functionality issue is all down to what you want your users to be able to do. It's the flip side of sandboxing. The idea with sandboxing Lua is to hide all the directly abusable API calls - which is mostly just the OS and I/O libraries - and add your own APIs for doing what you want to allow. And of course you can reinstate some form of the original API, but perhaps limited to a specific directory rather than the whole computer, to minimize potential damage.
CJI said:
I think so too. And that's one of many reasons why I use MUSHClient, and why I think it's simply the best client out there. Please don't talk about dropping support for other languages. Pretty please :)
At this stage, I don't think it could happen. Too many people are used to it.
CJI said:
There are tools that automate part of the process. I know that they exist, but unfortunately I have no experience in using them... So as I said - maybe some day :)
Like SWIG? The functions being glued are kind of odd, I'm not sure how easy it would be. I've never used SWIG either, though.
CJI said:
I really think that there is nothing to defend. Threads are just one of many tools you can use. They are not evil, neither they are some kind of super solution of "panacea". They have their weak points and advantages. Especially now, when mutlicore processors are so common, using threads is worth considering. Synchronization is an issue, but done right - poses no real threat to stability (but debugging is still hard). Threads are not evil. Their misuse - is.
Well put. Still, I prefer to use threads for jobs that can be truly parallel; if at all possible I'd rather use an event-based approach like EventMachine.
CJI said:
Twisol explained later, but I think that embedding does not necessarily have to heavily restrict, or sandbox, embedded language. Twisol seems to have another opinion.
Quite right, it's not necessary. It really depends on the needs of the host application. When you're dealing with distributable third-party plugins, I'm inclined to prefer at least limited sandboxing. As you noted before, it wouldn't be nice to have a seemingly benign plugin erase all of your files.
CJI said:
I thought about it for a brief moment, but that would be adding complexity instead of reducing it. If I had to script some kind of socket communication I'd do this with non-blockng socket using TCP from pure Python.
Really? UDP is simpler than TCP, and when you're using it over the loopback interface (never leaving the physical computer), it's reliable. You just send packets at will, and receive them on the other end. That's exactly why UdpListen() was added, if I recall correctly. Before the advent of miniwindows, it could be used to communicate with an external program running additional windows.
CJI said:
And, as I said earlier, I consider this an advantage. I understand your concerns, but really, sandboxing Python or Ruby or (I guess) PERL cuts their usability by half at least. Their main strength are huge standard libraries (yes, yes, elegant and pragmatic design, metaprogramming capabilities, beautiful syntax, etc. too, but if I could choose language based on syntax and design I'd pick haskell or ocaml ;) ).
That's why I treat languages as separate tools. :) Lua is easy to sandbox. I'd never try to sandbox Python or Ruby, and I don't have much experience with any of the others you mentioned.
CJI said:
If security is that big of the concern, you always can sandbox whole app or even system, like with BOCHS or the likes. It will be secure, no matter how inefficient.
A bit overkill for the purposes I had in mind, however this is definitely something I will need to do with Aspect.
CJI said:
On the other hand - I wrote my persistent data storage using SQLAlchemy and MySQL, effectively bypassing MUSHClient variables and never using them. I'd be very unhappy if I had to rewrite it and use variables (or built in sqlite) again... Miniwindows are sweet, but using them with WinAPI-like calls is painfully inefficient (in terms of code complexity) - I prefer generating image with PIL and then rendering it. I couldn't do it in heavily restricted environment...
Eeeeergh. I completely agree with the miniwindow API, sadly. They're awesome, but they can be a real pain to use for truly complex things.
CJI said:
PS. Please correct any grammar or spelling mistakes I make. I read a lot in English and I have spell checker on, but I have very few opportunities to write, unfortunately.
I hardly had any idea you might have trouble with English. :) |
![[Previous page]](/images/thin_prev.gif){kind=small}
1
2 ![[Go to top]](/images/gototop.gif){kind=small}
top