This is the mail archive of the guile@cygnus.com mailing list for the guile project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
ttn@mingle.glug.org writes: > i'm going to now guess that a "safe" eval must necessarily be > implemented as a primitive. still, i don't really believe it and > continue to wonder if there is any way one could create `safe-eval' > from just Scheme? Scheme48 and scsh which is built on top of it supports the construction of a safe eval. The sunet webserver, writtin in scsh has an example of this. The gist is that you create a package that just imports the things tht you deem safe, possibly redefining some symbols. The eval takes an environment argument, so you create a fresh new environment containing only the safe package you just defined, and then pass that as the second argument to eval. toothless.scm is the file you wanna check out in the sunet distribution. The web server uses this to accept code from clients for execution on the server. I am going to be adapting it slightly to interpret scheme embedded in SGML/XML documents as I serve them. > > When some remote server wants to execute some code on your system, > > that server has to log in just like any other user. > > authentication is another safety measure, it's true. using traditional > approaches makes sense, too. for the purposes of this discussion, > however, i'm assuming that that layer can be handled independently. In the case of the scsh "sunet" web server you could use web authentication for instance, and your identification could then be mapped onto an environment which gives you the proper capabilities. So Joe Blow only gets a bare bones r4rs environment with no file or socket access and no access to implementation internals, but Larry Lambda gets the r5rs with file access, a database interface, and access to the web server control structures cause he be the man.