Is this a safe use of eval?

Peter Otten __peter__ at
Thu Feb 24 10:01:45 CET 2011

Frank Millman wrote:

> Hi all
> I know that the use of 'eval' is discouraged because of the dangers of
> executing untrusted code.
> Here is a variation that seems safe to me, but I could be missing
> something.
> I have a class, and the class has one or more methods which accept various
> arguments and return a result.
> I want to accept a method name and arguments in string form, and 'eval' it
> to get the result.
> Assume I have an instance called my_inst, and a method called 'calc_area',
> with arguments w and h.
> I then receive my_string  = 'calc_area(100, 200)'.
>>>> result = eval('my_inst.{0}'.format(my_string))
> This will only work if the string contains a valid method name with valid
> arguments.
> Can anyone see anything wrong with this?

How do you prevent that a malicious source sends you

my_string = 'calc_area(__import__("os").system("rm important_file") or 100, 


More information about the Python-list mailing list