[Tutor] accessing list from a string
Alan Gauld
alan.gauld at btinternet.com
Wed Nov 26 20:46:52 CET 2008
"Kent Johnson" <kent37 at tds.net> wrote
>>>> e = "tuple(" + s + ")"
>>>>
>>>> x,y = eval(e) # x -> 2.5, y -> 2.8
>
> This works just as well:
> s = '__import__("os").system("rm -rf /")'
>
I don' think it would since the eval would call tuple
which would return a tuple of characters which would
not unpack into x,y so throwing an error.
But John's example with the closing paren definitely would work.
So the moral is don't be lazy parse the input if theere is
any possibility of hostile (or just uncontrolled) access to the
input....
--
Alan Gauld
Author of the Learn to Program web site
http://www.freenetpages.co.uk/hp/alan.gauld
More information about the Tutor
mailing list