Safe eval of insecure strings containing Python data structures?
James Mills
prologic at shortcircuit.net.au
Thu Oct 9 00:32:53 EDT 2008
On Thu, Oct 9, 2008 at 2:26 PM, Warren DeLano <warren at delsci.com> wrote:
> JSON rocks! Thanks everyone.
Yes it does :)
> Ben wrote:
>
>>More generally, you should never execute (via eval, exec, or whatever)
>>*any* instruction from an untrusted path; especially not arbitrary
>>data from an input stream.
I second this.
> Wow, for the record, I completely disagree with this point of view:
> Today's web apps wouldn't exist without safe forms of untrusted eval/exec
> (Javascript anyone?). Such dogma is appropriate when dealing with the
> CPython VM, but not as a general principle.
It's far better to use Data Structures
rather than Programming Constructs
to represent and transmit your data.
> "Rocket fuel may be dangerous, but you ain't shooting the moon without it!"
Do we trust fuel from untrusted sources ?
cheers
James
--
--
-- "Problems are solved by method"
More information about the Python-list
mailing list