Safe eval of insecure strings containing Python data structures?

Lie Ryan lie.1296 at
Thu Oct 9 17:40:40 CEST 2008

On Thu, 09 Oct 2008 13:26:17 +0100, Orestis Markou wrote:

> The ast module in 2.6 has something...

in python 2.6, ast.literal_eval may be used to replace eval() for 
literals. It does not accepts statements and function calls, i.e.:

>>> a = set([1, 2, 3])
>>> repr(a)
set([1, 2, 3])
>>> ast.literal_eval(repr(a))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.6/", line 67, in literal_eval
    return _convert(node_or_string)
  File "/usr/local/lib/python2.6/", line 66, in _convert
    raise ValueError('malformed string')
ValueError: malformed string

More information about the Python-list mailing list