Safe eval of insecure strings containing Python data structures?

Chris Rebert clp at rebertia.com
Thu Oct 9 02:55:17 CEST 2008


On Wed, Oct 8, 2008 at 5:34 PM, Warren DeLano <warren at delsci.com> wrote:
>
> I would like to parse arbitrary insecure text string containing nested
> Python data structures in eval-compatible form:
>
> # For example, given a "config.txt" such as:
>
> {
>  'my_atom' : 1.20,
>  'my_dict' : { 2:50 , 'hi':'mom'},
>  'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ]
> }
>
> # I would like to do something like this:
>
> empty_space = {'__builtins__' : {}}
>
> try:
>    config = eval(open("config.txt").read(), empty_space, empty_space)
> except:
>    config = {}
>
> print config
>
> # But I know for certain that the above approach is NOT secure since
> object attributes can still be accessed...
>
> So is there an equally convenient yet secure alternative available for
> parsing strings containing Python data structure definitions?

Assuming the data structures are sufficiently basic, i.e. no class
instanciations, you can just use the json (AKA simplejson) library to
deserialize the data in the string. Python and JSON conveniently
happen to share the same syntax for literals (except for booleans
IIRC).
Also, if this is your program's config file, you might consider
changing it to INI-format and using ConfigParser
(http://www.python.org/doc/2.5.2/lib/module-ConfigParser.html)
instead.

Cheers,
Chris
-- 
Follow the path of the Iguana...
http://rebertia.com

>
> Thanks in advance for any pointers!
>
> Cheers,
> Warren
>
>
> --
> http://mail.python.org/mailman/listinfo/python-list
>



More information about the Python-list mailing list