Use eval() safely?
Jonathan Gardner
jgardner at jonathangardner.net
Mon Feb 22 14:45:10 EST 2010
On Sun, Feb 21, 2010 at 1:25 PM, W. Martin Borgert <debacle at debian.org> wrote:
>
> I know that this issue has been discussed before, but most of
> the time using only one argument to eval().
>
> Is it possible to use the following code, e.g. run as part of a
> web application, to break in and if so, how?
>
> import math
>
> def myeval(untrustedinput):
> return eval(untrustedinput, {"__builtins__": None},
> { "abs": abs, "sin": math.sin })
>
> Is it possible to define functions or import modules from the
> untrusted input string?
>
> Which Python built-ins and math functions would I have to add to
> the functions dictionary to make it unsafe?
>
Why would you ever run untrusted code on any machine in any language,
let alone Python?
If you're writing a web app, make it so that you only run trusted
code. That is, code installed by the admin, or approved by the admin.
--
Jonathan Gardner
jgardner at jonathangardner.net
More information about the Python-list
mailing list