Sanitizing untrusted code for eval()
benji at benjiyork.com
Mon Aug 22 16:14:39 CEST 2005
Jim Washington wrote:
> I'm still working on yet another parser for JSON (http://json.org).
> The only problem is, it uses eval(). It's important to sanitize the
> incoming untrusted code before sending it to eval().
> Does anyone know of any other "gotchas" with eval() I have not found? Or
> is eval() simply too evil?
I'd say that eval is just too evil.
I do wonder if it would be possible to use eval by working from the
other direction. Instead of trying to filter out dangerous things, only
allow a *very* strict set of things in.
For example, since your doing JSON, you don't even need to allow
multiplication. If you only allowed dictionaries with string keys and a
restricted set of types as values, you'd be pretty close. But once
you're at that point you might as well use your own parser and not use
eval at all. <shrug>
More information about the Python-list