eval() == evil? --- How to use it safely?
James Matthews
nytrokiss at gmail.com
Thu Aug 28 19:21:23 EDT 2008
I had an issue once that i was getting true and false statements in text and
needed to convert them into Python boolean objects. So i wrote a function to
parse the text. and return True or False based on the text.
On Thu, Aug 28, 2008 at 3:09 PM, Guilherme Polo <ggpolo at gmail.com> wrote:
> On Thu, Aug 28, 2008 at 6:51 PM, Fett <FettManChu at gmail.com> wrote:
> > I am creating a program that requires some data that must be kept up
> > to date. What I plan is to put this data up on a web-site then have
> > the program periodically pull the data off the web-site.
> >
> > My problem is that when I pull the data (currently stored as a
> > dictionary on the site) off the site, it is a string, I can use eval()
> > to make that string into a dictionary, and everything is great.
> > However, this means that I am using eval() on some string on a web-
> > site, which seems pretty un-safe.
> >
> > I read that by using eval(code,{"__builtins__":None},{}) I can prevent
> > them from using pretty much anything, and my nested dictionary of
> > strings is still allowable. What I want to know is:
> >
> > What are the dangers of eval?
> > - I originally was using exec() but switched to eval() because I
> > didn't want some hacker to be able to delete/steal files off my
> > clients computers. I assume this is not an issue with eval(), since
> > eval wont execute commands.
> > - What exactly can someone do by modifying my code string in a command
> > like: thing = eval(code{"__builtins__":None},{}), anything other than
> > assign their own values to the object thing?
>
> By "disabling" __builtins__ you indeed cut some obvious tricks, but
> someone still could send you a string like "10 ** 10 ** 10".
>
> > --
> > http://mail.python.org/mailman/listinfo/python-list
> >
>
>
> --
> -- Guilherme H. Polo Goncalves
> --
> http://mail.python.org/mailman/listinfo/python-list
>
--
http://www.goldwatches.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20080828/c87d4838/attachment-0001.html>
More information about the Python-list
mailing list