[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Restricting eval
|
From: |
Panicz Maciej Godek |
|
Subject: |
Re: Restricting eval |
|
Date: |
Sun, 23 Mar 2014 19:33:33 +0100 |
Hi!
2014-03-23 19:07 GMT+01:00 Grant Rettke <address@hidden>:
> On Sat, Nov 30, 2013 at 2:26 PM, Panicz Maciej Godek
> <address@hidden> wrote:
>> And hence my question: is there any way to restrict
>> the execution environment of eval, e.g. to specify
>> which symbols should be available? (For security
>> reasons, I wouldn't want functions like "system"
>> or "exit" to be present in that environment)
>>
>> Or perhaps there's some better way to do that?
>
> How did you end up achieving your goal?
Oh, with Guile it turned out to be a piece of cake ;]
It's thanks to first-class modules and the fact that a module can be
provided as the second argument to eval.
Guile actually has e.g. (ice-9 safe-r5rs), which exports a safe subset
of Scheme, and (ice-9 null), which provides the most basic syntactic
bindings and no functions whatsoever.
So it is possible to either create a module in runtime using
make-fresh-user-module and add all the necessary bindings, or to have
some regular module prepared and obtain it using resolve-module.
This is more or less how I did it, but I have to admit that I did
neglect the security issues and designed the system to work rather
than to make it hacker-proof.
The bad news is that the module API isn't officially documented and
one needs to read the boot-9.scm file to figure out how it works (the
code is a good read, though).
HTH