[Python-Dev] Improved evaluator added to ast module
Andrea Griffini
agriff at tin.it
Sat Oct 20 10:24:36 CEST 2012
On Thu, Oct 18, 2012 at 5:41 PM, Georg Brandl <g.brandl at gmx.net> wrote:
> On 10/18/2012 03:16 PM, Daniel Holth wrote:
>> On Thu, Oct 11, 2012 at 1:36 PM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:
>>> Daniel Holth <dholth <at> gmail.com> writes:
>>>
>>>> How does this compare to the markerlib approach? In markerlib you just
>>>> make sure all the AST nodes are in a set of allowed nodes, currently
>>>> (Compare, BoolOp, Attribute, Name, Load, Str, cmpop, boolop), and then
>>>> use the normal eval(). Is one way more secure / fast / flexible than
>>>> the other?
>>>
>>> I don't think performance is an issue, and the markerlib approach seems just
>>> as reasonable as the one I've taken, except that it calls eval(), whereas my
>>> approach doesn't. It boils down to what should be allowed in expressions, and
>>> what shouldn't be.
I'm not sure if this is pertinent to the safe eval discussion, but
currently it's possible to make python crash with a segfault even by
just *parsing* an expression.
See http://bugs.python.org/issue5765
Andrea
More information about the Python-Dev
mailing list