how to convert string to list or tuple
Duncan Booth
duncan.booth at invalid.invalid
Sun May 29 12:49:29 EDT 2005
Dan Bishop wrote:
> Simon Brunning wrote:
>> [...]
>
> Or if you do use eval, don't give it access to any names.
>
>> [...]
> os.system("rm -rf *")
> Traceback (most recent call last):
> File "<stdin>", line 1, in ?
> File "<string>", line 0, in ?
> NameError: name 'os' is not defined
>
Have you tried giving it the string '__import__("os").system("rm -rf *")'?
[Don't try that at home children!]
Even if you take steps to avoid that working by hiding the builtins, there
are still too many ways to do nasty things with eval for it ever to be
safe.
More information about the Python-list
mailing list