How is correct use of eval()
Steven D'Aprano
steve at REMOVE-THIS-cybersource.com.au
Mon Oct 11 19:15:01 EDT 2010
On Mon, 11 Oct 2010 11:18:37 -0700, Chris Rebert wrote:
> On Mon, Oct 11, 2010 at 11:11 AM, Cata <catalinfest at gmail.com> wrote:
>> Hi .
>> I read about eval().
>> I also read about this "bug" :
>> cod = raw_input ('Enter:")
>> eval (cod)
>> if i use "rm -rf ~" all files will be deleted .
>
> That's incorrect. eval() does not (directly) run shell commands. It does
> evaluate arbitrary Python expressions though, which can delete files and
> do other things just as nasty as rm -rf.
>
>> What is correct way to use this function?
>
> To not use it in the first place if at all possible (use int(), float(),
> getattr(), etc. instead, depending on what you're doing), or to only use
> it with trusted or heavily validated input.
Furthermore, consider that no matter how clever you are at guessing all
the possible tricks that bad guys might introduce to your code, you can
never be sure you have guessed *all* of them.
--
Steven
More information about the Python-list
mailing list