Safe eval?
gbreed at cix.compulink.co.uk
gbreed at cix.compulink.co.uk
Wed Apr 17 06:39:01 EDT 2002
Chris Liechti wrote:
> you can disable the builtin functions you want and populate the
> namespace with save functions and classes (see Bastion for that)
I've never worked out how to do the second bit. Bastion you say? The
documentation for that's all about restricting access to classes. How do
I get such a class into the namespace for an reval? Every time this comes
up, somebody says "use reval" but nothing about how you supply locals to
it.
I'm currently using normal eval with a local dictionary, and checking it
doesn't have file, eval or __ in the supplied string. That covers
everything I can think of for cracking my website. I didn't notice you
could supply a cleaned up globals dictionary as well, but classes and
modules being leaky I think vetoing all __ is safest anyway.
My ISP does kill long running scripts (standard feature with Apache) but
how would I defend against DoS in Python?
Graham
<http://www.microtonal.co.uk/>
More information about the Python-list
mailing list