How is correct use of eval()

Steven D'Aprano steve at REMOVE-THIS-cybersource.com.au
Tue Oct 12 01:15:01 CEST 2010


On Mon, 11 Oct 2010 11:18:37 -0700, Chris Rebert wrote:

> On Mon, Oct 11, 2010 at 11:11 AM, Cata <catalinfest at gmail.com> wrote:
>> Hi .
>> I read about eval().
>> I also read about this "bug" :
>> cod = raw_input ('Enter:")
>> eval (cod)
>> if i use  "rm -rf ~"  all files will be deleted .
> 
> That's incorrect. eval() does not (directly) run shell commands. It does
> evaluate arbitrary Python expressions though, which can delete files and
> do other things just as nasty as rm -rf.
> 
>> What is correct way to use this function?
> 
> To not use it in the first place if at all possible (use int(), float(),
> getattr(), etc. instead, depending on what you're doing), or to only use
> it with trusted or heavily validated input.

Furthermore, consider that no matter how clever you are at guessing all 
the possible tricks that bad guys might introduce to your code, you can 
never be sure you have guessed *all* of them.


-- 
Steven



More information about the Python-list mailing list