safe eval of moderately simple math expressions

Aaron Brady castironpi at gmail.com
Sat Apr 11 09:41:21 CEST 2009


On Apr 10, 7:54 pm, Steven D'Aprano <st... at REMOVE-THIS-
cybersource.com.au> wrote:
> On Thu, 09 Apr 2009 13:13:50 -0400, Terry Reedy wrote:
> > Joel Hedlund wrote:
> >> Hi all!
>
> >> I'm writing a program that presents a lot of numbers to the user, and I
> >> want to let the user apply moderately simple arithmentics to these
> >> numbers. One possibility that comes to mind is to use the eval
> >> function, but since that sends up all kinds of warning flags in my
> >> head,
>
> > Where does the program execute?  If on the user's own machine, no
> > problem.
>
> Until the user naively executes a code sample he downloaded from the
> Internet, and discovers to his horror that his *calculator* is able to
> upload his banking details to an IRC server hosted in Bulgaria.

Mine does that anyway!  ..Often without telling anyone.

>
> How quickly we forget... for twenty or thirty years all malware
> infections was via programs executed on the user's own machine.
>
> > Eval is no more dangerous than Python itself.
>
> But users know Python is a Turing-complete programming language that can
> do anything their computer can do. It would come to an unpleasant
> surprise to discover that (say) your icon editor was also a Turing-
> complete programming language capable of doing anything your C-compiler
> could do. The same holds for applications written in Python.

Don't they know that his calculator is written in Python?  Do many
applications include a programming language?

Why do I get the feeling that the authors of 'pyparsing' are out of
breath?

I wonder if you could do something like copy and paste a "fork" of the
'ast' module, and just remove non-arithmetic classes; then do a normal
walk and transform of the foreign code...



More information about the Python-list mailing list