[Tutor] eval and exec

Kent Johnson kent37 at tds.net
Sun Dec 5 03:35:16 CET 2004


Marilyn Davis wrote:
> Thank you.  You guys are great.
> 
> I was trying to eval("import %s" % something).  
> 
> exec("import %s" % something) works just fine and now I understand why.
> 
> But, why is this so extremely dangerous?

The danger is in exec'ing code whose source is not trusted.

Using exec to import a module or create a name in your own code is fine. Using exec to run code from 
a untrusted source such as user input is opening yourself to any kind of mischief. For example you 
wouldn't want to
exec("import os; os.system('del /f /q *')")

Kent

> 
> Marilyn
> 
> 
> 
> 
> _______________________________________________
> Tutor maillist  -  Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
> 


More information about the Tutor mailing list