Sanitizing untrusted code for eval()
Alan Kennedy
alanmk at hotmail.com
Tue Aug 23 10:54:40 EDT 2005
[Jim Washington]
> I'm still working on yet another parser for JSON (http://json.org). It's
> called minjson, and it's tolerant on input, strict on output, and pretty
> fast. The only problem is, it uses eval(). It's important to sanitize the
> incoming untrusted code before sending it to eval().
I think that you shouldn't need eval to parse JSON.
For a discussion of the use of eval in pyjsonrpc, between me and the
author, Jan-Klaas Kollhof, see the content of the following links. A
discussion of the relative time *in*efficiency of eval is also included:
it is much faster to use built-in functions such str and float to
convert from JSON text/tokens to strings and numbers.
http://mail.python.org/pipermail/python-list/2005-February/265805.html
http://groups.yahoo.com/group/json-rpc/message/55
Pyjsonrpc uses the python tokeniser to split up JSON strings, which
means that you cannot be strict about things like double (") vs. single
(') quotes, etc.
JSON is so simple, I think it best to write a tokeniser and parser for
it, either using a parsing library, or just coding your own.
--
alan kennedy
------------------------------------------------------
email alan: http://xhaus.com/contact/alan
More information about the Python-list
mailing list