Safe eval?
Philipp Lenssen
lenssen at hitnet.rwth-aachen.de
Sun Apr 21 15:36:43 EDT 2002
"Philipp Lenssen" <lenssen at hitnet.rwth-aachen.de> wrote in message
news:a9i2kg$cg8$1 at nets3.rz.RWTH-Aachen.DE...
> Is it possible to have a safe eval() on the server-side even when the
string
> consists of submitted user data?
>..
Since some people pointed me to rexec, my current function looks like this:
def safeEval(self, s):
return rexec.RExec.r_eval(rexec.RExec(), s)
(That's the only way I got it to work since I didn't get the example at
http://www.python.org/doc/lib/node547.html .)
Now my question is, how do I allow my own functions* contained in the same
class? The eval-String contains these as "self.myFunction(1, 2)", which
works fine using normal eval().
I'm sure I have to do something with ok_builtin_modules, but I don't know
what.
Before I used rexec, I had a normal eval() but did the following before,
since somebody pointed out those strings (I guess with rexec it's not needed
anymore):
s = string.replace(s, "__", "")
s = string.replace(s, "file", "")
s = string.replace(s, "eval", "")
Thanks for any help.
*For sample purpose, allowed functions are:
qml_random(min, max), qml_upper(s), qml_lower(s)
More information about the Python-list
mailing list