Safe eval?
Philipp Lenssen
lenssen at hitnet.rwth-aachen.de
Tue Apr 16 17:39:32 EDT 2002
"Andrew Dalke" <dalke at dalkescientific.com> wrote in message
news:a9i4uv$k3h$1 at slb4.atl.mindspring.net...
> Philipp Lenssen:
> >Is it possible to have a safe eval() on the server-side even when the
> string
> >consists of submitted user data?
>
> What do you call 'safe'? Ahh, your next post
>
> > all that should be allowed is arithmetics (boolean as
> > well) plus a limited set of functions that I write & define.
>
> Will you allow "blahblahblahblah" * 2 ** 31 ? (which is a possible denial
> of service attack if you don't have a few GB of RAM handy, since it makes
> an 8GB string.)
>
Oh yes, and I forgot that complicated part -- not only do I want to have my
limited set of allowed functions, I want to definitely allow string
comparison. This makes it a bit harder, since technically e.g. the following
should be allowed:
'john doe' == 'delete_all_files()' or 1
Now to tell the truth I don't care 100% if a once-in-a-million user input
like "delete_all_files()" is actually part of a harmless, well intended
string value, and I accidentally remove it (if I'd use a straightforward
replacement algorithm as last resort) because of my security... problems
would arise if the function name sounds more natural (like, I removed
"touch" in PHP).
But, if this is about any kind of buffer overflow or denial of service
attacks, I didn't even think about that. Well one problem at a time...
> If so, take a look at 'eval' in the documentation, under
> http://www.python.org/doc/current/lib/built-in-funcs.html
> Call it with an empty locals and an almost empty globals
>
> eval("2+3", {"__builtins__": {}}, {})
>..
I saw the __builtins__ being used by Geoff Gerrietts in the class he
provided, so that should be OK.
Thanks.
More information about the Python-list
mailing list