Closed refi64 closed 8 years ago
This is the same problem as in the regexp function - dynamic imports are disallowed in safe mode, and both re
and urllib
use them. I'm not really sure why they are disallowed though, since we also have full-eval, and super-quote disabled.
The reason imports are sidabled in safemode is to guard against accidental security breaches. There are two lines of defence: first, we eliminate the obvious means of running arbitrary python code, and second, we try to ensure that if arbitrary python code is executed, security doesn't fall.
A past bug in string escaping allowed arbitrary python code execution without full eval or super-quote, so I don't want the removal of full eval and super-quote to be the only line of defence.
While I'd like to work around this, allowing general import is not the solution I'd like to go with.
@isaacg1 You could always override the __import__
function to only allow importing certain files and throw an error for anything else.
Not worth fixing, but I would accept a pull request that fixed this.
https://pyth.herokuapp.com/?code=%27%22https%3A%2F%2Fwww.google.com%2F&debug=0
Code:
Output: