Sanitizing untrusted code for eval()

Benji York benji at benjiyork.com
Mon Aug 22 16:14:39 CEST 2005


Jim Washington wrote:
> I'm still working on yet another parser for JSON (http://json.org).

Hi, Jim.

> The only problem is, it uses eval(). It's important to sanitize the
> incoming untrusted code before sending it to eval().

> Does anyone know of any other "gotchas" with eval() I have not found?  Or
> is eval() simply too evil?

I'd say that eval is just too evil.

I do wonder if it would be possible to use eval by working from the 
other direction.  Instead of trying to filter out dangerous things, only 
allow a *very* strict set of things in.

For example, since your doing JSON, you don't even need to allow 
multiplication.  If you only allowed dictionaries with string keys and a 
  restricted set of types as values, you'd be pretty close.  But once 
you're at that point you might as well use your own parser and not use 
eval at all.  <shrug>
--
Benji York




More information about the Python-list mailing list