I am developing a project that uses embedded Python. This project requires access to a local variable from a C function called by the Python interpreter. I was using global variables, but I read the answer to this question which states:
Capsules are basically python-opaque void pointers that you can pass around or associate with modules. They are "the way" to solve your problem.
My question is how is this not a huge security vulnerability? From what I understand, Python has no interpreter checks on accessing private variables. If you are passing around a pointer that is accessible by user-defined Python scripts, couldn't the user theoretically cause a segmentation fault or run arbitrary code by simply accessing the capsule, setting it to another value, and then running the C function from Python that operates on the pointer in the capsule?
EDIT
Title has been updated to reflect follow up question:
So I now see that there are more pressing concerns if someone has access to a Python script being run by a trusted interpreter than capsules. My follow up question is how this is not considered a Really Bad Idea™ from a software development standpoint? I would prefer not to even give my users the ability to interface with my C code in a way that can cause a segmentation fault (even if they would have to modify private variables to do so). This does not sound like defensive coding to me. Is this encompassed by the "Python culture" argument or is there a way to use capsules in which you can assure that you can recover from potential segmentation faults or even protect against them?
