Yet another attempt at a safe eval() call

Grant Edwards invalid at invalid.invalid
Fri Jan 4 03:34:14 CET 2013


On 2013-01-04, Tim Chase <python.list at tim.thechases.com> wrote:
> On 01/03/13 17:25, Grant Edwards wrote:
>> def lessDangerousEval(expr):
>>      global symbolTable
>>      if 'import' in expr:
>>          raise ParseError("operand expressions are not allowed to contain the string 'import'")
>>      globals = {'__builtins__': None}
>>      locals  = symbolTable
>>      return eval(expr, globals, locals)
>>
>> I can guarantee that symbolTable is a dict that maps a set of string
>> symbol names to integer values.
>
> For what definition of "safe"?  Are CPython segfaults a problem?

Not by themselves, no.

> Blowing the stack?

Not a problem either.  I don't care if the program crashes.  It's a
pretty dumb assembler, and it gives up and exits after the first error
anyway.

> Do you aim to prevent exploitable things like system calls or
> network/file access?

Yes, that's mainly what I was wondering wondering about.

-- 
Grant





More information about the Python-list mailing list