Yet another attempt at a safe eval() call
Tim Chase
python.list at tim.thechases.com
Thu Jan 3 20:11:18 EST 2013
On 01/03/13 17:25, Grant Edwards wrote:
> def lessDangerousEval(expr):
> global symbolTable
> if 'import' in expr:
> raise ParseError("operand expressions are not allowed to contain the string 'import'")
> globals = {'__builtins__': None}
> locals = symbolTable
> return eval(expr, globals, locals)
>
> I can guarantee that symbolTable is a dict that maps a set of string
> symbol names to integer values.
For what definition of "safe"? Are CPython segfaults a problem?
Blowing the stack? Do you aim to prevent exploitable things like
system calls or network/file access?
-tkc
More information about the Python-list
mailing list