[Tutor] accessing list from a string
Kent Johnson
kent37 at tds.net
Wed Nov 26 21:15:28 CET 2008
On Wed, Nov 26, 2008 at 2:46 PM, Alan Gauld <alan.gauld at btinternet.com> wrote:
>
> "Kent Johnson" <kent37 at tds.net> wrote
>
>>>>> e = "tuple(" + s + ")"
>>>>>
>>>>> x,y = eval(e) # x -> 2.5, y -> 2.8
>>
>> This works just as well:
>> s = '__import__("os").system("rm -rf /")'
>>
>
> I don' think it would since the eval would call tuple
> which would return a tuple of characters which would
> not unpack into x,y so throwing an error.
Care to try it? It does raise an exception but not until after the
import expression is evaluated and the damage is done.
In [4]: s = '__import__("os").system("dir")'
In [5]: e = "tuple(" + s + ")"
In [6]: eval(e)
echo off
Volume in drive C is unlabeled Serial number is 5487:d172
Directory of C:\Project\Play\*
<snip>
7,757,694 bytes in 3 files and 18 dirs 7,766,016 bytes allocated
96,700,784,640 bytes free
---------------------------------------------------------------------------
TypeError Traceback (most recent call last)
C:\Project\Play\<ipython console> in <module>()
C:\Project\Play\<string> in <module>()
TypeError: 'int' object is not iterable
Kent
More information about the Tutor
mailing list