Safe eval?
Andrew Dalke
dalke at dalkescientific.com
Tue Apr 16 17:30:07 EDT 2002
Philipp Lenssen:
>Is it possible to have a safe eval() on the server-side even when the
string
>consists of submitted user data?
What do you call 'safe'? Ahh, your next post
> all that should be allowed is arithmetics (boolean as
> well) plus a limited set of functions that I write & define.
Will you allow "blahblahblahblah" * 2 ** 31 ? (which is a possible denial
of service attack if you don't have a few GB of RAM handy, since it makes
an 8GB string.)
If so, take a look at 'eval' in the documentation, under
http://www.python.org/doc/current/lib/built-in-funcs.html
Call it with an empty locals and an almost empty globals
eval("2+3", {"__builtins__": {}}, {})
The "__builtins__" is needed because if an empty globals dictionary
is used then eval will set it to the current __builtins__, which
allows all sorts of hacks, like
eval("__import__('os').system('ls')")
Andrew
dalke at dalkescientific.com
More information about the Python-list
mailing list