[Tutor] executing a string representing python code
Cecilia Alm
ebbaalm at uiuc.edu
Tue Mar 6 20:14:04 CET 2007
Hm, I'm not sure I see your point. Could an evil hacker not just as easily
change the dictionary in the python code (or somewhere else in the code) to
perform such evil operations?
--C
2007/3/5, ALAN GAULD <alan.gauld at btinternet.com>:
>
> > That's neat. When just the function call is the string,
> > eval() seems appropriate. (For example, if reading what
> > function to call from a file.)
>
> Its conventient but incredibly dangerous.
> Its much better in that case to create a dictionary of allowed
> (ie safe!) functions that can vbe read and then look that up
> from the file input.
>
> Otherwise anyone who can access the file (legitimately or
> otherwise) can start calling any of the standard Python functions,
> including os.unlink() to delete files, or even os.system(), to do
> just about anything - howsabout formatting your disk?
>
> ok_funks = {
> 'some_func' : some_func,
> 'another_func': another_func,
> 'some_fancy_name': sys.exit
> }
>
> func = raw_input('type a function name>')
> try: ok_funks[func']()
> except: print 'Thats not a valid function'
>
> eval and exec are seductively powerful but they are immensely
> dangerous in a world of crackers and virus makers. They should
> only ever be used in strictly controlled scebnarios and even then
> as a last resort.
>
> HTH,
>
> Alan G.
>
> ------------------------------
> The all-new Yahoo! Mail<http://us.rd.yahoo.com/mail/uk/taglines/default/nowyoucan/free_from_isp/*http://us.rd.yahoo.com/evt=40565/*http://uk.docs.yahoo.com/nowyoucan.html>goes wherever you go - free your email address from your Internet provider.
>
--
E. Cecilia Alm
Graduate student, Dept. of Linguistics, UIUC
Office: 2013 Beckman Institute
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/tutor/attachments/20070306/7e43fb6b/attachment.htm
More information about the Tutor
mailing list