eval() == evil? --- How to use it safely?

James Mills prologic at shortcircuit.net.au
Fri Aug 29 01:38:07 CEST 2008


Hi,

If you cannot use a simple data structure/format
like JSON, or CSV, or similar, _don't_
use eval or exec, but use the pickle
libraries instead. This is much safer.

cheers
James

On Fri, Aug 29, 2008 at 7:51 AM, Fett <FettManChu at gmail.com> wrote:
> I am creating a program that requires some data that must be kept up
> to date. What I plan is to put this data up on a web-site then have
> the program periodically pull the data off the web-site.
>
> My problem is that when I pull the data (currently stored as a
> dictionary on the site) off the site, it is a string, I can use eval()
> to make that string into a dictionary, and everything is great.
> However, this means that I am using eval() on some string on a web-
> site, which seems pretty un-safe.
>
> I read that by using eval(code,{"__builtins__":None},{}) I can prevent
> them from using pretty much anything, and my nested dictionary of
> strings is still allowable. What I want to know is:
>
> What are the dangers of eval?
> - I originally was using exec() but switched to eval() because I
> didn't want some hacker to be able to delete/steal files off my
> clients computers. I assume this is not an issue with eval(), since
> eval wont execute commands.
> - What exactly can someone do by modifying my code string in a command
> like: thing = eval(code{"__builtins__":None},{}), anything other than
> assign their own values to the object thing?
> --
> http://mail.python.org/mailman/listinfo/python-list
>



-- 
--
-- "Problems are solved by method"



More information about the Python-list mailing list