Sandboxing eval() (was: Calculator)
Jon Ribbens
jon+usenet at unequivocal.eu
Sun Jan 19 12:57:56 EST 2020
On 2020-01-19, musbur at posteo.org <musbur at posteo.org> wrote:
> Is it actually possible to build a "sandbox" around eval, permitting it
> only to do some arithmetic and use some math functions, but no
> filesystem acces or module imports?
>
> I have an application that loads calculation recipes (a few lines of
> variable assignments and arithmetic) from a database.
>
> exec(string, globals, locals)
>
> with locals containing the input variables, and globals has a
> __builtin__ object with a few math functions. It works, but is it safe?
No, not even slightly. If you want to do this you need to write your
own interpreter that runs your own domain-specific language.
More information about the Python-list
mailing list