[Tutor] accessing list from a string
john at fouhy.net
Wed Nov 26 03:40:08 CET 2008
On 26/11/2008, Alan Gauld <alan.gauld at btinternet.com> wrote:
> You could use eval to evaluate the string but that would be dangerous since
> the striong could be a malicious piece of code. But you can make it a lot
> safer by wrapping it in a function with known effect, thus:
> s = "[2.5,2.8]" # your string from the file
> e = "tuple(" + e + ")"
> x,y = eval(e) # x -> 2.5, y -> 2.8
> Now if some crazy code gets read by error the eval will throw an error. Its
> not foolproof but it works for all but the most devious attacks.
If I, as an evildoer, can control e, it seems that I could set it to:
,), __import__('os').system('rm -rf /'
I've never thought of myself as all that devious :-)
More information about the Tutor