Sanitizing untrusted code for eval()

Scott David Daniels Scott.Daniels at Acm.Org
Mon Aug 22 21:23:33 CEST 2005


Diez B. Roggisch wrote:
>> Does anyone know of any other "gotchas" with eval() I have not found?  Or
>> is eval() simply too evil?
> 
> 
> Yes - and from what I can see on the JSON-Page, it should be _way_ 
> easier to simply write a parser your own - that ensures that only you 
> decide what python code gets called.
> 
> Diez
> _
Another thing you can do is use the compile message and then only allow
certain bytecodes.  Of course this approach means you need to implement
this in a major version-dependent fashion, but it saves you the work of
mapping source code to python.  Eventually there will be another form
available (the AST form), but that will show up no earlier than 2.5.
As a matter of pure practicality, it turns out you can probably use
almost the same code to look at 2.3 and 2.4 byte codes.


--Scott David Daniels
Scott.Daniels at Acm.Org



More information about the Python-list mailing list