Use eval() safely?
W. Martin Borgert
debacle at debian.org
Sun Feb 21 16:25:11 EST 2010
Hi,
I know that this issue has been discussed before, but most of
the time using only one argument to eval().
Is it possible to use the following code, e.g. run as part of a
web application, to break in and if so, how?
import math
def myeval(untrustedinput):
return eval(untrustedinput, {"__builtins__": None},
{ "abs": abs, "sin": math.sin })
Is it possible to define functions or import modules from the
untrusted input string?
Which Python built-ins and math functions would I have to add to
the functions dictionary to make it unsafe?
TIA! (Please cc me, thanks.)
More information about the Python-list
mailing list