safe eval of moderately simple math expressions
Steven D'Aprano
steve at REMOVE-THIS-cybersource.com.au
Fri Apr 10 20:54:39 EDT 2009
On Thu, 09 Apr 2009 13:13:50 -0400, Terry Reedy wrote:
> Joel Hedlund wrote:
>> Hi all!
>>
>> I'm writing a program that presents a lot of numbers to the user, and I
>> want to let the user apply moderately simple arithmentics to these
>> numbers. One possibility that comes to mind is to use the eval
>> function, but since that sends up all kinds of warning flags in my
>> head,
>
> Where does the program execute? If on the user's own machine, no
> problem.
Until the user naively executes a code sample he downloaded from the
Internet, and discovers to his horror that his *calculator* is able to
upload his banking details to an IRC server hosted in Bulgaria.
How quickly we forget... for twenty or thirty years all malware
infections was via programs executed on the user's own machine.
> Eval is no more dangerous than Python itself.
But users know Python is a Turing-complete programming language that can
do anything their computer can do. It would come to an unpleasant
surprise to discover that (say) your icon editor was also a Turing-
complete programming language capable of doing anything your C-compiler
could do. The same holds for applications written in Python.
--
Steven
More information about the Python-list
mailing list