[Python-Dev] Improved evaluator added to ast module
Vinay Sajip
vinay_sajip at yahoo.co.uk
Thu Oct 11 19:36:37 CEST 2012
Daniel Holth <dholth <at> gmail.com> writes:
> How does this compare to the markerlib approach? In markerlib you just
> make sure all the AST nodes are in a set of allowed nodes, currently
> (Compare, BoolOp, Attribute, Name, Load, Str, cmpop, boolop), and then
> use the normal eval(). Is one way more secure / fast / flexible than
> the other?
I don't think performance is an issue, and the markerlib approach seems just
as reasonable as the one I've taken, except that it calls eval(), whereas my
approach doesn't. It boils down to what should be allowed in expressions, and
what shouldn't be.
ISTM there is a space for a limited evaluator that's less limiting than
literal_eval(). I do realise that this type of sandboxing is not easy to achieve,
and I'm not aiming to advance the state of the art here - I just want to close
the issue in the best way I can.
Regards,
Vinay Sajip
More information about the Python-Dev
mailing list