[Tutor] accessing list from a string
Alan Gauld
alan.gauld at btinternet.com
Wed Nov 26 23:56:57 CET 2008
"Kent Johnson" <kent37 at tds.net> wrote
>>> This works just as well:
>>> s = '__import__("os").system("rm -rf /")'
>>>
>>
>> I don' think it would since the eval would call tuple
>> which would return a tuple of characters which would
>> not unpack into x,y so throwing an error.
>
> Care to try it? It does raise an exception but not until after the
> import expression is evaluated and the damage is done.
Rats, so it does!
My initial test didn't fail because I put the literal string
into the tuple() call but when you use the string addition
you lose the quotes. But then you need to lose the quotes
for the eval of the list to work too so just adding quotes
doesn't work either.
Pity, I've used that technique with lisp and its been OK
but obviously not with Python. Back to the drawing board!
Thanks for keeping me straight Kent! (and John)
Alan G.
More information about the Tutor
mailing list