Safe eval of insecure strings containing Python data structures?

Ben Finney bignose+hates-spam at benfinney.id.au
Thu Oct 9 03:56:03 CEST 2008


"Warren DeLano" <warren at delsci.com> writes:

> I would like to parse arbitrary insecure text string containing
> nested Python data structures in eval-compatible form:

It sounds like you want the ‘json’ library, new in Python 2.6
<URL:http://www.python.org/doc/current/library/json>. It's intended
for serialising and deserialising text streams for *data only* (not
executable code).

> # But I know for certain that the above approach is NOT secure since
> object attributes can still be accessed...

More generally, you should never execute (via eval, exec, or whatever)
*any* instruction from an untrusted path; especially not arbitrary
data from an input stream.

-- 
 \          “A hundred times every day I remind myself that […] I must |
  `\       exert myself in order to give in the same measure as I have |
_o__)                received and am still receiving” —Albert Einstein |
Ben Finney



More information about the Python-list mailing list