Simple Python Sandbox
Christian Heimes
lists at cheimes.de
Sat Aug 14 20:36:47 EDT 2010
> For example, when you go to save your bit of code, it will go in and if
> it finds __ anywhere in the text it just replaces it with xx. And, since
> getattr is not available, '_' + '_' won't get you anywhere.
That's not as secure as you might think. First of all you can write "_"
in more way than you may think.
>>> 2*chr(0x5f) + "insecure" + 2*chr(0x5f)
'__insecure__'
>>> "\x5f\x5finsecure\x5f\x5f"
'__insecure__'
>>> str(u"\N{LOW LINE}\N{LOW LINE}insecure\N{LOW LINE}\N{LOW LINE}")
'__insecure__'
If you have access to eval, exec or compile you can easily work around
your restrictions:
>>> getattribute = eval("object.__getattribute__")
>>> getattribute(int, "__new__")(int, "3")
3
As you can see, black listing isn't the best approach here.
Christian
More information about the Python-list
mailing list