eval to dict problems NEWB going crazy !
Sion Arrowsmith
siona at chiark.greenend.org.uk
Mon Jul 10 10:14:56 EDT 2006
Fredrik Lundh <fredrik at pythonware.com> wrote:
>Ant wrote:
>> It seems that there must be a way to use eval safely, as there are
>> plenty of apps that embed python as a scripting language - and what's
>> the point of an eval function if impossible to use safely, and you have
>> to write your own Python parser!!
>embedding python != accepting scripts from anywhere.
And also using eval (or exec or execfile) != accepting scripts from
anywhere. You've got to consider where the data can have come from
and what (broad) context it's being eval()'d in. Last time I did
something like this was with execfile for advanced configuration of
a server, and if a hostile party were in a position to inject
malicious code into *that* then subversion of our program would be
the least of anyone's concern.
--
\S -- siona at chiark.greenend.org.uk -- http://www.chaos.org.uk/~sion/
___ | "Frankly I have no feelings towards penguins one way or the other"
\X/ | -- Arthur C. Clarke
her nu becomeþ se bera eadward ofdun hlæddre heafdes bæce bump bump bump
More information about the Python-list
mailing list