Sandboxing eval()
Frank Millman
frank at chagford.com
Tue Jan 21 23:38:25 EST 2020
On 2020-01-21 3:14 PM, inhahe wrote:
>> I have written a simple parser/evaluator that is sufficient for my
>> simple requirements, and I thought I was safe.
>>
>> Then I saw this comment in a recent post by Robin Becker of ReportLab -
>>
>> "avoiding simple things like ' '*(10**200) seems quite difficult"
>>
>> I realised that my method is vulnerable to this and, like Robin, I have
>> not come up with an easy way to guard against it.
>>
>> Frank Millman
>>
>>
> Just use floats instead of integers.
>
I like that idea. I will probably use Decimal instead of float, but the
principle is the same.
Thanks for the suggestion.
Frank
More information about the Python-list
mailing list