如何使用 pyqt 实现瘦客户端应用程序
这是我想做的,我想知道在这个领域有经验的一些人是如何做到这一点的:
通过从http服务器获得的三个POST请求:
- 小部件和布局
- ,然后是应用程序逻辑(最小)
- 数据
或者也许是最好将前两个或全部三个结合起来。我正在考虑使用 pyqt。我想我可以加载 .ui 文件。我可以解析json数据。我只是认为通过网络传递代码在客户端上执行是相当危险的。如果有人可以劫持连接,或者可以更改应用程序设置以访问虚假服务器,那就太糟糕了。
我想这样做,因为它可以让所有客户保持最新状态。它有点像 Web 应用程序,但由于 Qt 的缘故而更简单。本质上,“瘦”应用程序只是一个最小的编译后的 python 文件,用于从服务器加载数据。
我怎样才能做到这一点而不会给客户端带来安全问题? https 够好吗?有没有办法让 pyqt 在沙箱中运行?
附言。我没有被 Qt 或 python 困住。不过我确实喜欢这个概念。我真的不想使用 Java - 服务器或客户端。
Here is what I would like to do, and I want to know how some people with experience in this field do this:
With three POST requests I get from the http server:
- widgets and layout
- and then app logic (minimal)
- data
Or maybe it's better to combine the first two or all three. I'm thinking of using pyqt. I think I can load .ui files. I can parse json data. I just think it would be rather dangerous to pass code over a network to be executed on the client. If someone can hijack the connection, or can change the apps setting to access a bogus server, that is nasty.
I want to do it this way because it keeps all the clients up-to-date. It's sort of like a webapp but simpler because of Qt. Essentially the "thin" app is just a minimal compiled python file that loads data from a server.
How can I do this without introducing security issues on the client? Is https good enough? Is there a way to get pyqt to run in a sandbox of sorts?
PS. I'm not stuck on Qt or python. I do like the concept though. I don't really want to use Java - server or client side.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您希望将“应用程序逻辑”从服务器发送到客户端而不发送“代码”本质上是自相矛盾的,尽管您可能还没有意识到这一点 - 即使您发送的“逻辑”是在一些简化的广告中 -特殊的“语言”(你甚至不认为它是一种语言;-),从所有意图和目的来看,你的 Python 代码将解释该语言,从而执行该代码。您可能会在某种程度上将事物“沙箱化”,但最终,这就是您正在做的事情。
为了避免劫持和其他技巧,请使用
HTTPS
并在客户端中验证服务器的证书:这将保护您免受您担心的所有问题的影响(如果有人可以编辑应用程序足以击败HTTPS 证书验证,他们可以对其进行足够的编辑以使其运行他们想要的任何代码,而无需从服务器发送该代码;-)。一旦您使用 https,让服务器发送 Python 模块(如果您需要在客户端上支持多个 Python 版本,则以源代码形式发送,否则字节码就可以了),然后客户端将它们保存到磁盘并导入/重新加载它们,将是很好。您基本上将执行经典“插件架构”的变体,其中“插件”实际上是从服务器发送的(而不是在给定位置的磁盘上找到的)。
Your desire to send "app logic" from the server to the client without sending "code" is inherently self-contradictory, though you may not realize that yet -- even if the "logic" you're sending is in some simplified ad-hoc "language" (which you don't even think of as a language;-), to all intents and purposes your Python code will be interpreting that language and thereby execute that code. You may "sandbox" things to some extent, but in the end, that's what you're doing.
To avoid hijackings and other tricks, instead, use
HTTPS
and validate the server's cert in your client: that will protect you from all the problems you're worrying about (if somebody can edit the app enough to defeat the HTTPS cert validation, they can edit it enough to make it run whatever code they want, without any need to send that code from a server;-).Once you're using https, having the server send Python modules (in source form if you need to support multiple Python versions on the clients, else bytecode is fine) and the client thereby save them to disk and import / reload them, will be just fine. You'll basically be doing a variant of the classic "plugins architecture" where the "plugins" are in fact being sent from the server (instead of being found on disk in a given location).
使用网络浏览器,它是一个记录良好的系统,可以完成您想要的一切。在浏览器中创建简单的图形应用程序也相对较快。我的推理示例:
Sage 数学环境已经构建了他们的图形客户端作为在浏览器中运行的应用程序,与本地网络服务器一起运行。< /p>
有一个 Pyjamas 项目,它将 Python 编译为 Javascript。恕我直言,这是值得一试的。
编辑:
你可以尝试 PyPy' 沙盒解释器,作为通过网络传输的代码的安全 Python 解释器。
然后是最简单的解决方案:只需通过网络发送 Python 模块,但对其进行签名和/或加密。这是所有 Linux 发行版的工作方式。您将加密令牌存储在本地计算机上。服务器在发送代码之前使用匹配的令牌对代码进行签名/加密。 GPG 应该能够做到。
Use a web-browser it is a well documented system that does everything you want. It is also relatively fast to create simple graphical applications in a browser. Examples for my reasoning:
The Sage math environment has built their graphical client as an application that runs in a browser, together with a local web-server.
There is the Pyjamas project that compiles Python to Javascript. This is IMHO worth a try.
Edit:
You could try PyPy's sandbox interpreter, as a secure Python interpreter for the code that was transferred over a network.
An then there is the most simple solution: Simply send Python modules over the network, but sign and/or encrypt them. This is the way all Linux distributions work. You store a cryptographic token on the local computer. The server signs/encrypts the code before it sends it, with a matching token. GPG should be able to do it.