How do you set up a stack?
kosh
kosh at aesaeion.com
Wed May 9 04:37:00 EDT 2001
s713221 at student.gu.edu.au wrote:
> kosh wrote:
>>
>> Umm. While this solution will work I think there are some things that
>> need to be dealt with. Mainly you need to check f for items that should
>> not be in there. eval will evaulatuate any valid piece of python code so
>> the other things that can be done are large. This is a fairly large
>> security risk at this point I think. At the very least I would check if
>> it has any letter characters and if so not run then.
>
> Eval will (should?) only evaluate legal pythonic numeric functions. This
> actually covers quite a bit, but unless you define wierd class
> structures that overwrite numerical operators to do non-numerical
> operations, you shouldn't have to worry too much about using eval.
>
Eval can evaluate any python expression by default. The other stuff you
tried were statements and as such they would need exec. I have some complex
thing being done with eval in places that are not numeric at all. However
it is checked thoroughly.
> Simple maths.
>>>> eval("1+2")
> 3
>
> Math with complex numbers (Except "i" is replaced with "j" in python.
> Ask the engineers why. *sighs*)
>>>> eval("(1+2j)-3j")
> (1-1j)
>
> You can also import the math module and use these functions inside the
> eval statement.
>>>> import math
>>>> eval("1+math.sqrt(2)")
> 2.4142135623730949
>
> However, all of these are dealing with numbers. I'd be interested to see
> if someone did have an example of a malicious eval use. (In fact I'd be
> downright anxious to know of any eval security weaknesses. *grins*)
>
> I try to eval a non-numerical statement.
>>>> eval("print 'hello'")
> Traceback (most recent call last):
> File "<stdin>", line 1, in ?
> File "<string>", line 1
> print 'hello'
> ^
> SyntaxError: invalid syntax
>
> Now I try a different statement that barfs on a different piece of
> syntax.
>>>> eval("if 1==1: print 'hello'")
> Traceback (most recent call last):
> File "<stdin>", line 1, in ?
> File "<string>", line 1
> if 1==1: print 'hello'
> ^
> SyntaxError: invalid syntax
>>>>
>
> In order to "evaluate" or execute a string as a command, rather than an
> expression, the exec command has to be used. However, if you are really
> paranoid, or would like to convert the following complex number
> statements "1+32i" to correct python, "1+32j", look up the re module.
>
> Anycase, have fun. You should have a great time with the language, and
> with this newsgroup.
>
> Joal Heagney/AncientHart
>
More information about the Python-list
mailing list