[Sugar-devel] programming on thin ice

Walter Bender walter.bender at gmail.com
Fri Jan 30 14:11:01 EST 2009


Thanks for all the feedback. Not sure how best to proceed, but here is
a somewhat related question. I'd like to have on of my modules in TA
be editable by Pippy. This is in support of #2 below. The idea would
be to have one block whose code is in a separate .py that is loaded
from the Journal as a saved Pippy project. This will present the same
security risks as #1. My question is more mundane this time: how do I
reference actually module that is in, for example, the instance
directory. (I am at the edge of my Python knowledge.)

-walter

On Thu, Jan 29, 2009 at 9:47 PM, Walter Bender <walter.bender at gmail.com> wrote:
> I've been in discussion with Bill Kerr and Tony Forster about how to
> make it easier for Sugar users to dig a bit deeper into code. Tony has
> a nice blog entry on the topic here: http://tonyforster.blogspot.com/
>
> (1) A simple idea I am exploring are to allow Turtle Art users to
> enter simple Python commands directly into a block, as per
> http://sugarlabs.org/go/Image:Ta-sin.png
>
> (2) I am also planning to add a block that calls a "nop" internally as
> an invitation to have new functionality added directly into the
> activity without the additional overhead of having to deal with
> managing all of the UI elements associated with adding blocks.
> (Perhaps View Source will save just that block to the Journal for
> editing in Pippy.)
>
> But here is my question:
>
> My code for #1 above is:
>
> def myfunc(lc, f, x):
>    myf = "def f(x): return " + f
>    userdefined = {}
>    try:
>        exec myf in globals(), userdefined
>    except:
>        raise logoerror("#syntaxerror")
>    return userdefined.values()[0](x)
>
> What I am concerned about is making the system vulnerable by letting
> arbitrary functions to execute within TA. I can imagine that Rainbow
> would be of some protection here, but are there other things I can do
> to restrict, say to the math module, the functions available.
>
> -walter
>
> --
> Walter Bender
> Sugar Labs
> http://www.sugarlabs.org
>



-- 
Walter Bender
Sugar Labs
http://www.sugarlabs.org


More information about the Sugar-devel mailing list