Safe eval of insecure strings containing Python data structures?

Warren DeLano warren at
Thu Oct 9 02:34:52 CEST 2008

I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form:  

# For example, given a "config.txt" such as:

  'my_atom' : 1.20,
  'my_dict' : { 2:50 , 'hi':'mom'},
  'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ]

# I would like to do something like this:

empty_space = {'__builtins__' : {}}

    config = eval(open("config.txt").read(), empty_space, empty_space)
    config = {} 

print config

# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...

So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?

Thanks in advance for any pointers!


More information about the Python-list mailing list