[Tutor] accessing list from a string

Alan Gauld alan.gauld at btinternet.com
Wed Nov 26 10:16:00 CET 2008

"John Fouhy" <john at fouhy.net> wrote

>>  e = "tuple(" + e + ")"
>>  x,y  = eval(e)    # x -> 2.5, y -> 2.8
> If I, as an evildoer, can control e, it seems that I could set it 
> to:
>    ,), __import__('os').system('rm -rf /'
> I've never thought of myself as all that devious :-)

Sorry John, too fast in hitting reply.
I didn't notice the closing quote in the original - too early
in the morning! - yes that would trip it up.

But that would be a specific bit of code aimed at a
specific eval - in other words the perp would need to
know that the eval had a function call in it. So yes
you do classify as devious in my definition! :-)

Someone just typing valid Python code into an input
in the hope of causing havoc would not succeed,
you need to know to close parens and leave an
unclosed paren at the end.

But yes, the eval is not foolproof and if that is a cause
for concern then parse the string.

Alan g 

More information about the Tutor mailing list