Sandboxing Python

Chris Angelico rosuav at gmail.com
Sun Aug 23 01:44:59 CEST 2015


On Sun, Aug 23, 2015 at 9:25 AM, Mark Lawrence <breamoreboy at yahoo.co.uk> wrote:
> I was always led to believe that the subject was a difficult thing to do,
> but here
> https://www.reddit.com/r/learnpython/comments/3huz4x/how_to_do_math_inside_raw_input/
> is a safe solution in only 23 characters, or are there any discernable flaws
> in it?


I'm sorry, I can't see which solution you're talking about there -
maybe I just don't know how to read reddit properly. Can you paste the
proposed code please?

The best I can see there is "use eval but with no builtins". That's
fundamentally flawed because you don't need builtins to break stuff.
All you need is a literal, from which you can snag everything else via
its attributes.

However, for this situation, I would be recommending ast.literal_eval,
which *is* safe. It's a lot more powerful than "split it into number,
operator, number" as mentioned at the end, but still can't majorly
break anything.

ChrisA


More information about the Python-list mailing list