Sanitizing untrusted code for eval()

Fredrik Lundh fredrik at pythonware.com
Mon Aug 22 22:12:25 CEST 2005


Jim Washington wrote:

> 4.  List comprehensions might be troublesome, though it's not clear to me
> how a DoS or exploit is possible with these.

see item 1.

> Or is eval() simply too evil?

yes.

however, running a tokenizer over the source string and rejecting any string
that contains unknown tokens (i.e. anything that's not a literal, comma, 
colon,
or square or curly bracket) before evaluation might be good enough.

(you can use Python's standard tokenizer module, or rip out the relevant 
parts
from it and use the RE engine directly)

</F> 






More information about the Python-list mailing list