How do you set up a stack?
Michael Hudson
mwh at python.net
Wed May 9 04:28:11 EDT 2001
s713221 at student.gu.edu.au writes:
> In order to "evaluate" or execute a string as a command, rather than an
> expression, the exec command has to be used.
That's only what you think.
->> eval("eval(compile('print 1','','exec'))")
1
you can get around this by restricing the builtins
->> eval("eval(compile('print 1','','exec'))",{"__builtins__":{}})
Traceback (most recent call last):
File "<input>", line 1, in ?
File "<string>", line 0, in ?
NameError: name 'eval' is not defined
but this still leaves potential DoS attacks like
eval("'a'*(2**26)")
Don't eval user input, IOW.
Cheers,
M.
--
Sufficiently advanced political correctness is indistinguishable
from irony. -- Erik Naggum
More information about the Python-list
mailing list