Question about using python as a scripting language
Delaney, Timothy (Tim)
tdelaney at avaya.com
Wed Aug 9 17:33:51 EDT 2006
Carl Banks wrote:
> Delaney, Timothy (Tim) wrote:
>> Steve Lianoglou wrote:
>>
>>> So, for instance, you can write:
>>> my_list = eval('[1,2,3,4]')
>>
>> This is just asking for trouble.
>>
>> my_list = eval('import shutil; shutil.rmtree('/')')
>
> Fortunately, that won't work because eval expects an expression.
> Unfortunately, this will:
>
> my_list = eval('__import__("shutil").rmtree("/")')
Yeah - forgot the specifics in getting the point across ;)
To answer the other question - when should you use eval? When the
risk/reward warrants it. What is the risk of using eval (or exec) on
untrusted code?
Note that you *have* to decide where the line is drawn, because
effectively all .py files run through the same process (not quite, but I
hope you can see where I'm going). For me, the line in nearly every case
is to not use eval/exec - use something else that validates - like
int().
Tim Delaney
More information about the Python-list
mailing list