Safe eval of insecure strings containing Python data structures?
Warren DeLano
warren at delsci.com
Thu Oct 9 00:26:04 EDT 2008
JSON rocks! Thanks everyone.
Ben wrote:
>More generally, you should never execute (via eval, exec, or whatever)
>*any* instruction from an untrusted path; especially not arbitrary
>data from an input stream.
Wow, for the record, I completely disagree with this point of view: Today's web apps wouldn't exist without safe forms of untrusted eval/exec (Javascript anyone?). Such dogma is appropriate when dealing with the CPython VM, but not as a general principle.
"Rocket fuel may be dangerous, but you ain't shooting the moon without it!"
Cheers,
Warren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20081008/27ae3fec/attachment.html>
More information about the Python-list
mailing list