Just a quick FGPythonSys update. I'm currently working on a proper test suite for FlightGear and I will convert all the tests in the py-ogel test.py script into real unit tests. This is not easy - think along the lines of eliminating the 'globals' class and making FGPythonSys complete independent of the fgfs binary, which I have done!
@Hooray:
Once I have the test suite up and running and all the current features of FGPythonSys have 100% test coverage, I'll look into all your great suggestions.
@www2:
For sandboxing, note that you can replace these modules in the sys.modules data structure. This means that typing 'import os' will import the replacement located in sys.modules. However there are ways around this using Python's extremely powerful introspection mechanisms. I did work out how to get to the original 'os' module after replacing sys.modules['os'], and this was in a deep place where the original module could not be replaced. Unfortunately I didn't write this down, so I would need to look again (there's plenty of info on the web on how to do this). A second problem is that Python will load Python/C modules. This means that you can just write a replacement 'os' module and bundle it with the aircraft.
Therefore sandboxing is not a good security solution. Note that these issues will never be listed as a security issue by CERT - this is just a mechanism for delivering trojan horses.
A better solution is to build up the concept of trust. You would do this by pre-parsing of the Python scripts, checking for all 'import' or equivalent statements. You would then follow the imports to see if it is from $FG_ROOT, from the aircraft, the Python standard library or elsewhere, following all paths in sys.paths (not just the standard load order). Then if there is any import of the 'os' or 'sys' modules, using introspection methods as well, or any non Python standard path loading of a C module (i.e. not a text file), then the pre-screening can label the aircraft (or other content) as unsafe and refuse to load it. The pre-parsing would follow all non-standard imports and check those too. We could then create a command line option such as --trusted-path to allow aircraft to be labelled as safe by the user, for example for all FGAddon aircraft, so that these load faster.
All of this pre-parsing could be locked into stone via the test suite I am developing. Each import mechanism and its blacklisting by the pre-parsing can be tested in separate unit tests.
Regards,
Edward