[Tutor] exec vs. eval

[Remco Gerlich]

On  0, Andrew Wilkins <toodles@yifan.net> wrote:
> In an attempt to emulate my graphics calculator, I've started by creating a
> function program. Just for background info, it works by specifying a list of
> functions (or just one). Code is at the end of the email.
> 
> eg. dfunc(['y=x+1'])
> eg. dfunc(['x=0'])
> 
> However at the moment, the code isn't very secure...it uses the exec()
> function. As an example of how this could be utilised (and this is a very
> mild example):
> 
> dfunc(['import sys','sys.exit()'])
> #this will exit the interpreter
> 
> Should I be using the RExec module to fix this, or is there an easier
> approach?

No, this is what rexec is for.

Without rexec, the user basically gets the chance to run whatever Python
code he wants with the same rights as your program, and to change the
running program.

-- 
Remco Gerlich