eval to dict problems NEWB going crazy !
Ant
antroy at gmail.com
Fri Jul 7 12:39:38 EDT 2006
> [('recId', 3), ('parse', {'pos': u'np', 'gen': u'm'})]
> [('recId', 5), ('parse', {'pos': u'np', 'gen': u'm'})]
> # line injected by a malicious user
> "__import__('os').system('echo if I were bad I could do worse')"
> [('recId', 7 ), ('parse', {'pos': u'np', 'gen': u'm'})]
I'm curious, if you disabled import, could you make eval safe?
For example:
>>> eval("__import__('os').system('echo if I were bad I could do worse')")
if I were bad I could do worse
0
>>> eval("__import__('os').system('echo if I were bad I could do worse')", {'__import__': lambda x:None})
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File "<string>", line 0, in ?
AttributeError: 'NoneType' object has no attribute 'system'
So, it seems to be possible to disable access to imports, but is this
enough? Are there other ways to access modules, or do damage via
built-in commands?
It seems that there must be a way to use eval safely, as there are
plenty of apps that embed python as a scripting language - and what's
the point of an eval function if impossible to use safely, and you have
to write your own Python parser!!
More information about the Python-list
mailing list