get a list from a string

Steven D'Aprano steve at REMOVE.THIS.cybersource.com.au
Thu Jun 7 14:39:41 CEST 2007


On Thu, 07 Jun 2007 11:06:54 +0000, simon kagwe wrote:

>> exec("distances = [[1,1,1,1],[2,2,2,2]]")
> Wow! So simple!
> 
> Thanks a lot. :-)

Yes, and when you embed this in your web-application, using data gathered
from a web-form, the black-hat hackers will thank you for the security
hole too.

Surely a much better solution would be NOT to start with a string like 
"distances = [[1,1,1,1],[2,2,2,2]]" in the first place? Where does that
string come from? If it comes from the user, at run-time, using exec is a
MAJOR security hole. If it comes from the source code, then WHY???

I wish exec and eval were hidden away in a module so they were harder (but
not impossible) to get to. Because I'm paranoid, I wish importing that
module would print an warning saying "Are you MAD??? Don't do this!!!". I
wish even more that Python would come with a built-in "make a list from a
list representation" function, but that at least is fairly easy to create:
you can modify 




Here is a discussion about just how hard (that is, probably impossible) it
is to make eval safe:

http://effbot.org/zone/librarybook-core-eval.htm







More information about the Python-list mailing list