limited python virtual machine
Alex Martelli
aleaxit at yahoo.com
Sat Jan 29 11:04:29 EST 2005
Stephen Thorne <stephen.thorne at gmail.com> wrote:
> On Sat, 29 Jan 2005 08:53:45 -0600, Skip Montanaro <skip at pobox.com> wrote:
> >
> > >> One thing my company has done is written a ``safe_eval()`` that uses
> > >> a regex to disable double-underscore access.
> >
> > Alex> will the regex catch getattr(object,
> > Alex> 'subclasses'.join(['_'*2]*2)...?-)
> >
> > Now he has two problems. ;-)
>
> I nearly asked that question, then I realised that 'getattr' is quite
> easy to remove from the global namespace for the code in question, and
> assumed that they had already thought of that.
OK then -- vars(type(object)) is a dict which has [[the unbound-method
equivalent of]] object.__subclasses__ at its entry for key
'__subclasses__'. Scratch 'vars' in addition to 'getattr'. And 'eval'
of course, or else building up the string 'object.__subclasses__' (in a
way the regex won't catch) then eval'ing it is easy. I dunno, maybe I'm
just being pessimistic, I guess...
Alex
More information about the Python-list
mailing list