Is it possible to make python run on your homepage? I know, this is a really stupid question but please don't pick on me for my stupidity :)
If it is possible, how? Do you have to upload/install the executing part of Python to you website using FTP? or...?
Edit: Just found out my provider does not support python and that shell access is completely restricted. Problem solved :)
Everything depends on the hosting provider you use for your homepage -- do they offer Python among their services, and, if so, what version, and how do you write server-side scripts to use it (is it CGI-only, or...?) -- if not, or the version / deployment options disappoint, what do they allow in terms of giving you shell access and running long-time processes?
It's impossible for us to judge any of these aspects, because every single one of them depends on your hosting provider, and absolutely none of them depends on Python itself!-)
Yes, you can. I don't know exactly how but I know it is possible. Mabye look into this website:
https://trinket.io/
This website lets you do this. I sent them a message to see how they do it so I will update this to let you know after they respond.
Python is a scripting language, though it is used gracefully for building back end web applications.
Related
Hello Python developers!
I'm a Java one and I know that there is a way of running Java code on the fly, but my question is, is there any way to do that with Python?
The main goal here is to enable middle-school students to start coding with chromebooks from day one on Python.
I've been looking for some resources, but I got nothing so far.
Thanks a lot!
http://shell.appspot.com might be of your interest. (there's a link to the source code too)
Hey, I just recovered a link to a nice page I used in the past. It shows the execution flow of a Python script. Students I taught found it very useful in terms of comparing with other languages they new already, e.g. Java, how stack and arguments are being passed to the functions, memory allocations, etc:
http://people.csail.mit.edu/pgbovine/python/tutor.html
(click on "Visualize execution" button beneath the window with the code)
IPython allows you to run python interactively from a web environment. You can try a demo here: IPython. You can set this up on a local computer and have you students view it from their machines.
Coderbuddy let's you create and run AppEngine applications online, without having to download the AppEngine SDK, Python, or anything for that matter.
I use that when I do workshops, so I don't have to bother with making sure that everyone has the SDK and proper configurations in their machines. We just go straight to coding. :)
I understand that letting any anonymous user upload any sort of file in general can be dangerous, especially if it's code. However, I have an idea to let users upload custom AI scripts to my website. I would provide the template so that the user could compete with other AI's in an online web game I wrote in Python. I either need a solution to ensure a user couldn't compromise any other files or inject malicious code via their uploaded script or a solution for client-side execution of the game. Any suggestions? (I'm looking for a solution that will work with my Python scripts)
I am in no way associated with this site and I'm only linking it because it tries to achieve what you are getting after: jailing of python. The site is code pad.
According to the about page it is ran under geordi and traps all sys calls with ptrace. In addition to be chroot'ed they are on a virtual machine with firewalls in place to disallow outbound connections.
Consider it a starting point but I do have to chime in on the whole danger thing. Gotta CYA myself. :)
Using PyPy you can create a python sandbox. The sandbox is a separate and supposedly secure python environment where you can execute their scripts. More info here
http://codespeak.net/pypy/dist/pypy/doc/sandbox.html
"In theory it's impossible to do anything bad or read a random file on the machine from this prompt."
"This is safe to do even if script.py comes from some random untrusted source, e.g. if it is done by an HTTP server."
Along with other safeguards, you can also incorporate human review of the code. Assuming part of the experience is reviewing other members' solutions, and everyone is a python developer, don't allow new code to be activated until a certain number of members vote for it. Your users aren't going to approve malicious code.
Yes.
Allow them to script their client, not your server.
PyPy is probably a decent bet on the server side as suggested, but I'd look into having your python backend provide well defined APIs and data formats and have the users implement the AI and logic in Javascript so it can run in their browser. So the interaction would look like: For each match/turn/etc, pass data to the browser in a well defined format, provide a javascript template that receives the data and can implement logic, and provide web APIs that can be invoked by the client (browser) to take the desired actions. That way you don't have to worry about security or server power.
Have an extensive API for the users and strip all other calls upon upload (such as import statements). Also, strip everything that has anything to do with file i/o.
(You might want to do multiple passes to ensure that you didn't miss anything.)
I'm using twisted to create a server.
Problem is, I must protect my code. Since I don't want to publish it, I'm not really interess into obfuscation or compilation of the python code.
My problem is, my twisted application must run with root uid and a lot of people have root access to this server.
I don't care if they can read it, but I want sure they can't modify it!
What is the best solution, knowing I'm using twisted? I've seen in twistd, tapconvert and mktap that twisted can "encrypt" my code, but I didn't find any good documentation about that.
Anybody to help me?
Thanks in advance for any answer =)
Have a nice day!
/!\ EDIT:
I got another question, I've wrote my code following this part of twisted documentation: http://twistedmatrix.com/documents/current/core/howto/application.html so I launch my server using a command like twistd -y server.py --logfile ...
Since I'm doing that, I assume I can't use software like cx_Freeze to hide my code right ?
You have a number of problems here.
my twisted application must run with root uid
This is bad. If there are vulnerabilities in your application, then they will be made more serious by running as root. You should consider finding a way to not run as root. For example, if you only run as root so you can bind to a low numbered port, consider using authbind instead.
a lot of people have root access to this server
Perhaps you should limit privileged access to those people who actually need it. If that isn't an option, then perhaps you should at least limit access to people you can trust. Someone who has root on a machine can do anything they want on that machine, and defeat any scheme you dream up.
I don't care if they can read it, but I want sure they can't modify it!
You should ask them not to modify it, then.
I've seen in twistd, tapconvert and mktap that twisted can "encrypt" my code, but I didn't find any good documentation about that. Anybody to help me?
You shouldn't bother trying to use the encryption features of twistd and mktap. These don't prevent anyone from changing your code. At best they might prevent someone from reading some of it. As you said, this isn't even your goal. Even if it were your goal, someone with root access will be able to decrypt these files easily, so it doesn't even help there.
If you give code to someone, expect them to be able to do anything and everything they want with it. If you put code on a server, you are effectively giving it to everyone with root access to that server.
So, stop thinking about encryption and other technical issues and think of some other way to achieve your goals - fire the untrustworthy administrators, use an appropriate license on the code, get an actual contract, etc.
AFAIK, there is no way to prevent a root user from modifying a plain text file. Root is just that, they can do anything they want with it including modifying. Why do so many people have root access to the machine anyway?
If you're concerned, you really have two options:
Encrypt the files in whatever way you want (I don't know if Twisted does it or how)
'Compile' the code for your platform. There are a few Python compilers out there but I don't know if they work with Linux. I'm a free software guy so I want people to read and modify my code. Protecting it doesn't concern me.
I guess you do have a third option of protecting it legally with a license. But if they violate your license then there's the cost of taking them to court over it.
Not many options. Sorry.
Anthony
I'm planning to develop a GUI application that uses curses. The idea is to provide an extra interface for a web interface, so that everything on the web site could also be done via the UI.
Basically, it should be platform independent: the user would have to SSH to the server after which the UI would automatically take over.
First of all, is this doable? As far as I understand, it would be platform independent as long as the end-user had the proper terminal software installed. Correct me, if I'm wrong.
I was planning to use Python for this, as it is the language I'm the most proficient in. Python comes with the ncurses library and Urwid, which I've been told, is quite good.
After having a quick test with Urwid, I had some problems. The thing is, I'm quite worried that I won't find answers to the problems that I will encounter down the road because apparently curses UI-s aren't all the rage nowadays. Documentation and examples are thus quite scarce.
In conclusion, should really I embark on this and quit my whining or drop the idea altogether? Any other suggestions?
It's certainly possible, and curses-based applications are still written regularly (e.g. PuDB is only 14 months old) although maybe not very often.
Did you try asking questions on the Urwid mailing list and/or IRC channel?
oh my, wouldn't this be a dream!
i've seen a couple of things out there to varying degrees of success.
Morticious Thrind: http://thrind.xamai.ca/
future death toll: http://f-dt.com/?wptheme=wp-cli
wordpress yadda yadda, this could be as simple as a 960/blueprint CSS, prototype.js, and a oneliner:
//TODO: Implement useful functionality && unit tests && documentation
//TODO: read
try { eval($F(x)); } catch (e) { panic(); }
BUT! this type of thing is pretty radical. i mean- ANYTHING can happen on the canvas of a web-browser these days, but any terminal emulator or lynx serves this purpose with flare.
also be sure to check out: https://stackoverflow.com/questions/472644/javascript-collection-of-one-line-useful-functions
the real question is what sort of software you plan on ncursing (sic,pun,etc.)-- it probably already has some rather useful command-line interfaces (sh).
It can be done but it's a struggle. I would recommend improving the web interface. You can use JavaScript to add keyboard shortcuts, for example, which can be very helpful for a faster workflow (see Gmail's interface, for example).
I understand that letting any anonymous user upload any sort of file in general can be dangerous, especially if it's code. However, I have an idea to let users upload custom AI scripts to my website. I would provide the template so that the user could compete with other AI's in an online web game I wrote in Python. I either need a solution to ensure a user couldn't compromise any other files or inject malicious code via their uploaded script or a solution for client-side execution of the game. Any suggestions? (I'm looking for a solution that will work with my Python scripts)
I am in no way associated with this site and I'm only linking it because it tries to achieve what you are getting after: jailing of python. The site is code pad.
According to the about page it is ran under geordi and traps all sys calls with ptrace. In addition to be chroot'ed they are on a virtual machine with firewalls in place to disallow outbound connections.
Consider it a starting point but I do have to chime in on the whole danger thing. Gotta CYA myself. :)
Using PyPy you can create a python sandbox. The sandbox is a separate and supposedly secure python environment where you can execute their scripts. More info here
http://codespeak.net/pypy/dist/pypy/doc/sandbox.html
"In theory it's impossible to do anything bad or read a random file on the machine from this prompt."
"This is safe to do even if script.py comes from some random untrusted source, e.g. if it is done by an HTTP server."
Along with other safeguards, you can also incorporate human review of the code. Assuming part of the experience is reviewing other members' solutions, and everyone is a python developer, don't allow new code to be activated until a certain number of members vote for it. Your users aren't going to approve malicious code.
Yes.
Allow them to script their client, not your server.
PyPy is probably a decent bet on the server side as suggested, but I'd look into having your python backend provide well defined APIs and data formats and have the users implement the AI and logic in Javascript so it can run in their browser. So the interaction would look like: For each match/turn/etc, pass data to the browser in a well defined format, provide a javascript template that receives the data and can implement logic, and provide web APIs that can be invoked by the client (browser) to take the desired actions. That way you don't have to worry about security or server power.
Have an extensive API for the users and strip all other calls upon upload (such as import statements). Also, strip everything that has anything to do with file i/o.
(You might want to do multiple passes to ensure that you didn't miss anything.)