Safe eval of insecure strings containing Python data structures?

Orestis Markou orestis at orestis.gr
Thu Oct 9 14:26:17 CEST 2008


The ast module in 2.6 has something...

On Thu, Oct 9, 2008 at 1:34 AM, Warren DeLano <warren at delsci.com> wrote:
>
> I would like to parse arbitrary insecure text string containing nested
> Python data structures in eval-compatible form:
>
> # For example, given a "config.txt" such as:
>
> {
>  'my_atom' : 1.20,
>  'my_dict' : { 2:50 , 'hi':'mom'},
>  'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ]
> }
>
> # I would like to do something like this:
>
> empty_space = {'__builtins__' : {}}
>
> try:
>    config = eval(open("config.txt").read(), empty_space, empty_space)
> except:
>    config = {}
>
> print config
>
> # But I know for certain that the above approach is NOT secure since
> object attributes can still be accessed...
>
> So is there an equally convenient yet secure alternative available for
> parsing strings containing Python data structure definitions?
>
> Thanks in advance for any pointers!
>
> Cheers,
> Warren
>
>
> --
> http://mail.python.org/mailman/listinfo/python-list
>



-- 
orestis at orestis.gr
http://orestis.gr



More information about the Python-list mailing list