[Tutor] accessing list from a string

John Fouhy john at fouhy.net
Wed Nov 26 03:40:08 CET 2008

On 26/11/2008, Alan Gauld <alan.gauld at btinternet.com> wrote:
>  You could use eval to evaluate the string but that would be dangerous since
> the striong could be a malicious piece of code. But you can make it a lot
> safer by wrapping it in a function with known effect, thus:
>  s = "[2.5,2.8]"  # your string from the file
>  e = "tuple(" + e + ")"
>  x,y  = eval(e)    # x -> 2.5, y -> 2.8
>  Now if some crazy code gets read by error the eval will throw an error. Its
> not foolproof but it works for all but the most devious attacks.

If I, as an evildoer, can control e, it seems that I could set it to:

    ,), __import__('os').system('rm -rf /'

I've never thought of myself as all that devious :-)


More information about the Tutor mailing list