List comprehension - NameError: name '_[1]' is not defined ?

[mario ruggier]

On Jan 15, 4:06 pm, Steven D'Aprano <st... at REMOVE-THIS-
cybersource.com.au> wrote:

Hi Steve!

> > class GetItemEvaluator(object):
> >     def __init__(self):
> >         self.globals = globals() # some dict (never changes)

Ya, this is just a boiled down sample, and for simplicity I set to to
the real globals(), so of course it will change when that changes...
but in the application this is a distinct dict, that is entirely
managed by the application, and it never changes as a result of an
*evaluation*.

> Would you like to put a small wager on that?
>
> >>> len(gie.globals)
> 64
> >>> something_new = 0
> >>> len(gie.globals)
>
> 65


> >         self.globals["ts"] = self.ts
> >         self.globals["join"] = "".join
> >         self.locals = {} # changes on each evaluation
> >     def __getitem__(self, expr):
> >         return eval(expr, self.globals, self.locals)
>
> Can you say "Great Big Security Hole"?

With about the same difficulty as "Rabbit-Proof Fence" ;-)
Again, it is just a boiled down sample, for communication purposes. As
I mentioned in another thread, the real application behind all this is
one of the *few* secure templating systems around. Some info on its
security is at: http://evoque.gizmojo.org/usage/restricted/
Tell you what, if you find a security hole there (via exposed template
source on a Domain(restricted=True) setup) I'll offer you a nice
dinner (including the beer!) somewhere, maybe at some py conference,
but even remotely if that is not feasible... ;-) The upcoming 0.4
release will run on 2.4 thru to 3.0 -- you can have some fun with that
one (the current 0.3 runs on 2.5 and 2.6).

> --
> Steven

Cheers, mario