Yet another attempt at a safe eval() call

Tim Chase python.list at tim.thechases.com
Fri Jan 4 02:11:18 CET 2013


On 01/03/13 17:25, Grant Edwards wrote:
> def lessDangerousEval(expr):
>      global symbolTable
>      if 'import' in expr:
>          raise ParseError("operand expressions are not allowed to contain the string 'import'")
>      globals = {'__builtins__': None}
>      locals  = symbolTable
>      return eval(expr, globals, locals)
>
> I can guarantee that symbolTable is a dict that maps a set of string
> symbol names to integer values.

For what definition of "safe"?  Are CPython segfaults a problem? 
Blowing the stack?  Do you aim to prevent exploitable things like 
system calls or network/file access?

-tkc







More information about the Python-list mailing list