Safe eval of insecure strings containing Python data structures?
Ben Finney
bignose+hates-spam at benfinney.id.au
Wed Oct 8 21:56:03 EDT 2008
"Warren DeLano" <warren at delsci.com> writes:
> I would like to parse arbitrary insecure text string containing
> nested Python data structures in eval-compatible form:
It sounds like you want the ‘json’ library, new in Python 2.6
<URL:http://www.python.org/doc/current/library/json>. It's intended
for serialising and deserialising text streams for *data only* (not
executable code).
> # But I know for certain that the above approach is NOT secure since
> object attributes can still be accessed...
More generally, you should never execute (via eval, exec, or whatever)
*any* instruction from an untrusted path; especially not arbitrary
data from an input stream.
--
\ “A hundred times every day I remind myself that […] I must |
`\ exert myself in order to give in the same measure as I have |
_o__) received and am still receiving” —Albert Einstein |
Ben Finney
More information about the Python-list
mailing list