Convert String to Dictionary question

Christian Tanzer tanzer at swing.co.at
Sun Feb 17 08:52:00 CET 2002


"Jason Orendorff" <jason at jorendorff.com> wrote:

> > > It seems to me that security is a compelling reason to choose
> > > pickle() over eval().  Am I wrong?
> >
> > With regard to eval, yes. Check out the two optional arguments to
> > eval, before spreading FUD.
>
> Well, the bottom line is:  If I'm looking for a vulnerability in
> an app, I'm searching for calls to eval(), not pickle.
>
> For example, the idiom you suggested elsewhere in this thread:
>   >>> eval ("""os.system ("echo 'kilroy'")""", {}, {})
>
> is actually exploitable:
>   >>> s = "__import__('os').system('echo kilroy')"
>   >>> eval (s, {}, {})
>   kilroy
>   0

I stand corrected. And I'd like to apologize for being a bit rude.

That one is easily plugged though:

>>> eval (s, {"__builtins__" : {}},{})
Traceback (most recent call last):
  File "<stdin>", line 1, in ?
  File "<string>", line 0, in ?
NameError: name '__import__' is not defined

> Whereas there are no known security holes in pickle.

Not true.

To wrap this up, writing secure applications is hard -- and rules of
thumb like `eval is bad, pickle is good` aren't going to make it any
easier.

-- 
Christian Tanzer                                         tanzer at swing.co.at
Glasauergasse 32                                       Tel: +43 1 876 62 36
A-1130 Vienna, Austria                                 Fax: +43 1 877 66 92






More information about the Python-list mailing list