use strings to call functions
Stephen Hansen
apt.shansen at gmail.com
Mon Feb 8 21:03:32 EST 2010
On Mon, Feb 8, 2010 at 5:51 PM, Steven D'Aprano <
steven at remove.this.cybersource.com.au> wrote:
> On Mon, 08 Feb 2010 14:43:46 -0800, Aahz wrote:
>
> >>> WARNING: eval() is almost always the wrong answer to any question
> >>
> >>warning : it works !
> >
> > Works for what?
>
> Code injection security bugs, of course.
>
> http://en.wikipedia.org/wiki/Code_injection
>
> It is surprisingly difficult to sanitize strings in Python to make them
> safe to pass to eval. Unless you are prepared to trust the input data
> explicitly, it's best to just avoid eval.
>
I'd make it a bit stronger: unless you are prepared to trust the input data
explicitly, and forever-- and extending that trust to whomever might in the
future be hired to work along, beside, under, or instead of you-- including
the fact that they may use your system or code in a different or new way to
get the data-- or how you may in the future decide to grow your system in
ways you're not today prepared for and are committed to do a complete review
of your entire codebase on every such change to ensure you don't leak some
potentially bad data down into such a place-- then you can use eval.
Otherwise, other solutions are better.
--S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20100208/d510d5ea/attachment.html>
More information about the Python-list
mailing list