replacement of rexec?
Ian McMeans
imcmeans at telus.net
Thu Oct 30 15:37:21 EST 2003
Are there plans to replace rexec? It seems like a useful library to
have (Zope is a good example of where it would be useful)
Huaiyu Zhu <huaiyu at gauss.almaden.ibm.com> wrote in message news:<slrnbpeal0.fhh.huaiyu at gauss.almaden.ibm.com>...
> What is the prefered way to eval a string like "('a', 1)"? These strings
> are representations of simple objects of type int, str, or dict, tuple or
> list made of them. I do not want to use naked eval in case I run the
> script on a wrong file that happens to contain Python code.
>
> Previously I used the following
>
> from rexec import RExec
> r_eval = RExec().r_eval
>
> After upgrading to 2.3 it no longer works:
>
> File "/usr/local/lib/python2.3/rexec.py", line 184, in __init__
> raise RuntimeError, "This code is not secure in Python 2.2 and 2.3"
> RuntimeError: This code is not secure in Python 2.2 and 2.3
>
> I understand that rexec is not secure against malicious attacks. However,
> it is safer than eval for preventing accidents. What should I use in
> place? The ideal thing I'm looking for is a function that can parse only
> "non-active" python objects and raise exception on anything else.
>
> Huaiyu
More information about the Python-list
mailing list