Use eval() safely?
Steven D'Aprano
steve at REMOVE-THIS-cybersource.com.au
Sun Feb 21 18:33:45 EST 2010
On Sun, 21 Feb 2010 22:25:11 +0100, W. Martin Borgert wrote:
> Hi,
>
> I know that this issue has been discussed before, but most of the time
> using only one argument to eval().
>
> Is it possible to use the following code, e.g. run as part of a web
> application, to break in and if so, how?
>
> import math
>
> def myeval(untrustedinput):
> return eval(untrustedinput, {"__builtins__": None},
> { "abs": abs, "sin": math.sin })
>
> Is it possible to define functions or import modules from the untrusted
> input string?
>
> Which Python built-ins and math functions would I have to add to the
> functions dictionary to make it unsafe?
You've got the right idea, but the task is difficult.
Please read this thread:
http://tav.espians.com/a-challenge-to-break-python-security.html
--
Steven
More information about the Python-list
mailing list