Safe eval of insecure strings containing Python data structures?
Warren DeLano
warren at delsci.com
Wed Oct 8 20:34:52 EDT 2008
I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form:
# For example, given a "config.txt" such as:
{
'my_atom' : 1.20,
'my_dict' : { 2:50 , 'hi':'mom'},
'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ]
}
# I would like to do something like this:
empty_space = {'__builtins__' : {}}
try:
config = eval(open("config.txt").read(), empty_space, empty_space)
except:
config = {}
print config
# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...
So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?
Thanks in advance for any pointers!
Cheers,
Warren
More information about the Python-list
mailing list