Safe eval of insecure strings containing Python data structures?

[James Mills]

On Thu, Oct 9, 2008 at 2:26 PM, Warren DeLano <warren at delsci.com> wrote:
> JSON rocks!  Thanks everyone.

Yes it does :)

> Ben wrote:
>
>>More generally, you should never execute (via eval, exec, or whatever)
>>*any* instruction from an untrusted path; especially not arbitrary
>>data from an input stream.

I second this.

> Wow, for the record,  I completely disagree with this point of view:
> Today's web apps wouldn't exist without safe forms of untrusted eval/exec
> (Javascript anyone?).  Such dogma is appropriate when dealing with the
> CPython VM, but not as a general principle.

It's far better to use Data Structures
rather than Programming Constructs
to represent and transmit your data.

> "Rocket fuel may be dangerous, but you ain't shooting the moon without it!"

Do we trust fuel from untrusted sources ?

cheers
James

-- 
--
-- "Problems are solved by method"