[Python-ideas] relaxing keyword usage restrictions
Bruce Leban
bruce at leapyear.org
Fri Sep 9 08:46:12 CEST 2011
On Thu, Sep 8, 2011 at 11:04 PM, H Krishnan <hetchkay at gmail.com> wrote:
> The use-case I had in mind was related to a customization tool we are
> developing. We want to allow users to define expressions and assign them to
> names. We 'eval' the expressions subsequently. We have to currently prevent
> users from using any python keyword as a name, which I felt was an
> unnecessary restriction.
>
Now that you've defined the actual use case you had in mind, it's a good
reason not to use this. Using 'eval' on user-provided expressions is risky
in many ways. If you restrict the expressions to simple operators like +-*/
then that's easy (and safer) to process without using eval (or if you are
using eval, it's easy to replace every variable X with something like
data["X"] completely eliminating the possibility of information leakage). If
you're allowing calls to arbitrary functions then you're probably going to
have some security holes in your app. For example, you better make sure to
disallow expressions like:
__import__('sys').exit()
or
[i for i in range(2**100) if i < 1]
and lots of others.
--- Bruce
Follow me: http://www.twitter.com/Vroo http://www.vroospeak.com
P.S.. Yes, that's valid scheme? So what? Redefining 'define' pretty much
guarantees that the rest of your program will fail.
(define define 3)(display (* define 5)) => 15(define x 4) => FAIL
The fact that another language allows you to shoot yourself in the foot
isn't a good argument that Python should allow that too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20110908/74fa8e79/attachment.html>
More information about the Python-ideas
mailing list