Sanitizing untrusted code for eval()
Fredrik Lundh
fredrik at pythonware.com
Mon Aug 22 16:12:25 EDT 2005
Jim Washington wrote:
> 4. List comprehensions might be troublesome, though it's not clear to me
> how a DoS or exploit is possible with these.
see item 1.
> Or is eval() simply too evil?
yes.
however, running a tokenizer over the source string and rejecting any string
that contains unknown tokens (i.e. anything that's not a literal, comma,
colon,
or square or curly bracket) before evaluation might be good enough.
(you can use Python's standard tokenizer module, or rip out the relevant
parts
from it and use the RE engine directly)
</F>
More information about the Python-list
mailing list