FAQ: How do I calculate what quoted strings and numbers mean?
p.lavarre at ieee.org
p.lavarre at ieee.org
Fri Nov 10 09:14:43 EST 2006
> Subject: announce: FAQs suggested ...
> http://effbot.org/pyfaq/suggest.htm has new FAQ's ...
> FAQ: How do I calculate what quoted strings and numbers mean?
>
> A: eval(source, {'builtins': {}}) works, without also accidentally
> accepting OS commands as input.
>
> Note: Eval might surprise you if you mistype this idiom as: eval(source, {}).
>
> Note: This idiom makes sense of ordinary Python literals (such as 010, 0x8,
> 8.125e+0, and "\x45ight"). This idiom also correctly interprets simple
> literal expressions, such as 64**0.5.
That suggested FAQ is misleadingly incorrect as stated - we need help
rewording it.
/F correctly commented:
"eval" is never a good choice if you cannot trust the source; it's
trivial to do various denial-of-service attacks. See
http://effbot.org/zone/librarybook-core-eval.htm
Correspondingly, newbie me, I actually did copy the eval(source,
{'builtins': {}}) idiom into some code from that page without noticing
the comments re the cost of evaluating literal expressions like 'a' *
(10**9) , abuses of __subclass__ and mro(), etc.
But those objections miss the point. Having had those troubles
explained to me now, I'm still leaving my code unchanged - it still
does what I mean. That is,
eval(source, {'builtins': {}}) works enough like an evaluator of
literals to let you duck the work of writing that evaluator until you
need it. Yagni.
That's useful, and likely an FAQ. Anybody out there able to say
concisely what we really mean to say here?
Thanks in advance, Pat LaVarre
More information about the Python-list
mailing list