Sandboxing eval()
Frank
frank at chagford.com
Mon Jan 20 00:09:58 EST 2020
On 2020-01-19 7:53 PM, Paul Moore wrote:
> On Sun, 19 Jan 2020 at 17:45, <musbur at posteo.org> wrote:
>>
>> Is it actually possible to build a "sandbox" around eval, permitting it
>> only to do some arithmetic and use some math functions, but no
>> filesystem acces or module imports?
>
> If you require safety, you really need to write your own parser/evaluator.
>
I have written a simple parser/evaluator that is sufficient for my
simple requirements, and I thought I was safe.
Then I saw this comment in a recent post by Robin Becker of ReportLab -
"avoiding simple things like ' '*(10**200) seems quite difficult"
I realised that my method is vulnerable to this and, like Robin, I have
not come up with an easy way to guard against it.
Frank Millman
More information about the Python-list
mailing list