eval() == evil? --- How to use it safely?

mario mario at ruggier.org
Wed Sep 3 09:28:26 CEST 2008


On Aug 28, 11:51 pm, Fett <FettMan... at gmail.com> wrote:
> I am creating a program that requires some data that must be kept up
> to date. What I plan is to put this data up on a web-site then have
> the program periodically pull the data off the web-site.
>
> My problem is that when I pull the data (currently stored as a
> dictionary on the site) off the site, it is a string, I can use eval()
> to make that string into a dictionary, and everything is great.
> However, this means that I am using eval() on some string on a web-
> site, which seems pretty un-safe.
>
> I read that by using eval(code,{"__builtins__":None},{}) I can prevent
> them from using pretty much anything, and my nested dictionary of
> strings is still allowable. What I want to know is:
>
> What are the dangers of eval?
> - I originally was using exec() but switched to eval() because I
> didn't want some hacker to be able to delete/steal files off my
> clients computers. I assume this is not an issue with eval(), since
> eval wont execute commands.
> - What exactly can someone do by modifying my code string in a command
> like: thing = eval(code{"__builtins__":None},{}), anything other than
> assign their own values to the object thing?

If you like to look at a specific attempt for making eval() safe(r)
take a look at how the **eval-based** Evoque Templating engine does
it, for which a short overview is here:
http://evoque.gizmojo.org/usage/restricted/

While it does not provide protection against DOS type attacks, it
should be safe against code that tries to pirate tangible resources
off your system, such as files and disk. Actually, any problems anyone
may find are greatly appreciated...



More information about the Python-list mailing list