Yet another attempt at a safe eval() call
Grant Edwards
invalid at invalid.invalid
Thu Jan 3 21:34:14 EST 2013
On 2013-01-04, Tim Chase <python.list at tim.thechases.com> wrote:
> On 01/03/13 17:25, Grant Edwards wrote:
>> def lessDangerousEval(expr):
>> global symbolTable
>> if 'import' in expr:
>> raise ParseError("operand expressions are not allowed to contain the string 'import'")
>> globals = {'__builtins__': None}
>> locals = symbolTable
>> return eval(expr, globals, locals)
>>
>> I can guarantee that symbolTable is a dict that maps a set of string
>> symbol names to integer values.
>
> For what definition of "safe"? Are CPython segfaults a problem?
Not by themselves, no.
> Blowing the stack?
Not a problem either. I don't care if the program crashes. It's a
pretty dumb assembler, and it gives up and exits after the first error
anyway.
> Do you aim to prevent exploitable things like system calls or
> network/file access?
Yes, that's mainly what I was wondering wondering about.
--
Grant
More information about the Python-list
mailing list