safe eval of moderately simple math expressions
Aaron Brady
castironpi at gmail.com
Sat Apr 11 03:41:21 EDT 2009
On Apr 10, 7:54 pm, Steven D'Aprano <st... at REMOVE-THIS-
cybersource.com.au> wrote:
> On Thu, 09 Apr 2009 13:13:50 -0400, Terry Reedy wrote:
> > Joel Hedlund wrote:
> >> Hi all!
>
> >> I'm writing a program that presents a lot of numbers to the user, and I
> >> want to let the user apply moderately simple arithmentics to these
> >> numbers. One possibility that comes to mind is to use the eval
> >> function, but since that sends up all kinds of warning flags in my
> >> head,
>
> > Where does the program execute? If on the user's own machine, no
> > problem.
>
> Until the user naively executes a code sample he downloaded from the
> Internet, and discovers to his horror that his *calculator* is able to
> upload his banking details to an IRC server hosted in Bulgaria.
Mine does that anyway! ..Often without telling anyone.
>
> How quickly we forget... for twenty or thirty years all malware
> infections was via programs executed on the user's own machine.
>
> > Eval is no more dangerous than Python itself.
>
> But users know Python is a Turing-complete programming language that can
> do anything their computer can do. It would come to an unpleasant
> surprise to discover that (say) your icon editor was also a Turing-
> complete programming language capable of doing anything your C-compiler
> could do. The same holds for applications written in Python.
Don't they know that his calculator is written in Python? Do many
applications include a programming language?
Why do I get the feeling that the authors of 'pyparsing' are out of
breath?
I wonder if you could do something like copy and paste a "fork" of the
'ast' module, and just remove non-arithmetic classes; then do a normal
walk and transform of the foreign code...
More information about the Python-list
mailing list