Kent Johnson wrote: >It is very challenging to even come close to safety. If you search >comp.lang.python for eval or exec you will find many discussions of >this. For example >http://groups.google.com/group/comp.lang.python/browse_frm/thread/cf6093c5551a6587/23ddf23a6dfc3e11?q=eval&rnum=1#23ddf23a6dfc3e11 > >One approach is to use the compiler module to parse the input data and >write a custom visitor for the parse tree that only allows 'safe' parse >elements to be processed. There is some discussion here: >http://groups.google.com/group/comp.lang.python/browse_frm/thread/d5f4d7e2c397c2ca/5d1af7f9c7b1789b?q=python+compiler+safe+eval&rnum=1#5d1af7f9c7b1789b > > > Thanks for the references. I played with the parse tree yesterday a little bit, for which I now have a little bit more understanding, since I implemented my own extremely primitive version. It had seemed like I ought to be able to take advantage of it, if I had an adequate stop list.
>There is also a hack that provides an empty __builtin__ namespace to >eval which prevents at least naive attempts at hacking. > >Bottom line - it's a very hard problem which I don't think anyone has >solved to the satisfaction of all observers, though there are limited >solutions which some people find acceptable. > > > Terry Carroll wrote: >On Tue, 14 Feb 2006, Kent Johnson wrote: > > > >>Bottom line - it's a very hard problem which I don't think anyone has >>solved to the satisfaction of all observers, though there are limited >>solutions which some people find acceptable. >> >> > >I think it's telling that the restricted execution modules, rexex and >Bastion, became disabled as of python 2.3; that gives an indication of how >difficult a problem it is to fix. > >http://www.python.org/doc/lib/restricted.html > > > I hate to admit it, but there are times when fear should be listened to, and I think this is one of them. So, I guess I'll move on to parsing it myself. Seems a shame though. ds _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
