Providing Python scripting to a Python application
Laura Creighton
lac at strakt.com
Sat Dec 28 14:17:54 EST 2002
There is a problem using eval to let users run arbitrary pieces of code
which you should be aware of.
>>> eval("__import__('os').listdir('.')")
['.bashrc', '.bash_profile', '.alias', '.cshrc', '.gnome', '.gnome-errors', '.gnome_private', '.Xauthority', '.esd_auth', '.sawfish', '.ssh', '.ICEauthority', '.bash_history', '.kde2-errors', '.kde', '.DCOPserver_smartwheels_:0', '.DCOPserver_smartwheels', '.gtkrc-kde', '.MCOP-random-seed', '.mcoprc', '.mcop', 'Desktop', 'src', '.pysol', '.mozilla', 'genesis.strike', 'quetzl.2', 'bin', '.lpmudrc']>>>
I could have used remove, rather than listdir, but I would like to keep
my files. This will fix this problem,
>>> s="__import__('os').listdir('.')"
>>> eval(s, {"__builtins__": {}})
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File "<string>", line 0, in ?
NameError: name '__import__' is not defined
but you are still going to be vulnerable to memory and CPU attacks.
Laura Creighton
More information about the Python-list
mailing list