safe eval of moderately simple math expressions

Steven D'Aprano steve at REMOVE-THIS-cybersource.com.au
Fri Apr 10 20:54:39 EDT 2009


On Thu, 09 Apr 2009 13:13:50 -0400, Terry Reedy wrote:

> Joel Hedlund wrote:
>> Hi all!
>> 
>> I'm writing a program that presents a lot of numbers to the user, and I
>> want to let the user apply moderately simple arithmentics to these
>> numbers. One possibility that comes to mind is to use the eval
>> function, but since that sends up all kinds of warning flags in my
>> head,
> 
> Where does the program execute?  If on the user's own machine, no
> problem.

Until the user naively executes a code sample he downloaded from the 
Internet, and discovers to his horror that his *calculator* is able to 
upload his banking details to an IRC server hosted in Bulgaria.

How quickly we forget... for twenty or thirty years all malware 
infections was via programs executed on the user's own machine.


> Eval is no more dangerous than Python itself.

But users know Python is a Turing-complete programming language that can 
do anything their computer can do. It would come to an unpleasant 
surprise to discover that (say) your icon editor was also a Turing-
complete programming language capable of doing anything your C-compiler 
could do. The same holds for applications written in Python.



-- 
Steven



More information about the Python-list mailing list