eval() == evil? --- How to use it safely?
Fett
FettManChu at gmail.com
Fri Aug 29 09:14:13 EDT 2008
On Aug 29, 7:42 am, Fett <FettMan... at gmail.com> wrote:
> On Aug 28, 7:57 pm, Paul Rubin <http://phr...@NOSPAM.invalid> wrote:
>
> So long story short: if I am expecting a dictionary of strings, I
> should make a parser that only accepts a dictionary of strings then.
> There is no safe way to use an existing construct.
>
> That is what I was afraid of. I know I will have to deal with the
> possibility of bad data, but considering my use (an acronym legend for
> a database), and the fact that the site I plan to use should be
> secure, these issues should be minimal. The users should be able to
> spot any obvious false data, and restoring it should be simple.
>
> Many thanks to all of you for your alarmist remarks. I certainly don't
> want to, in any way, put my clients computers at risk by providing
> unsafe code.
On a related note, what if I encrypted and signed the data, then only
ran eval() on the string after it was decrypted and the signature
verified?
It has occurred to me that posting this data on a site might not be
the best idea unless I can be sure that it is not read by anyone that
it shouldn't be. So I figure an encrypting is needed, and as long as I
can sign it as well, then only people with my private signing key
could pass bad data, much less harmful strings.
More information about the Python-list
mailing list