Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!news-xxxfer.readnews.com!news-out.readnews.com!transit3.readnews.com!panix!not-for-mail
From: Grant Edwards <invalid@invalid.invalid>
Newsgroups: comp.lang.python
Subject: Re: Yet another attempt at a safe eval() call
Date: Fri, 4 Jan 2013 02:34:14 +0000 (UTC)
Organization: PANIX Public Access Internet and UNIX, NYC
Lines: 32
Message-ID: <kc5f36$qao$1@reader1.panix.com>
References: <kc541v$3e4$1@reader1.panix.com> <mailman.69.1357265052.2939.python-list@python.org>
NNTP-Posting-Host: c-24-118-110-103.hsd1.mn.comcast.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Trace: reader1.panix.com 1357266854 26968 24.118.110.103 (4 Jan 2013 02:34:14 GMT)
X-Complaints-To: abuse@panix.com
NNTP-Posting-Date: Fri, 4 Jan 2013 02:34:14 +0000 (UTC)
User-Agent: slrn/0.9.9p1 (Linux)
Xref: csiph.com comp.lang.python:36098

On 2013-01-04, Tim Chase <python.list@tim.thechases.com> wrote:
> On 01/03/13 17:25, Grant Edwards wrote:
>> def lessDangerousEval(expr):
>>      global symbolTable
>>      if 'import' in expr:
>>          raise ParseError("operand expressions are not allowed to contain the string 'import'")
>>      globals = {'__builtins__': None}
>>      locals  = symbolTable
>>      return eval(expr, globals, locals)
>>
>> I can guarantee that symbolTable is a dict that maps a set of string
>> symbol names to integer values.
>
> For what definition of "safe"?  Are CPython segfaults a problem?

Not by themselves, no.

> Blowing the stack?

Not a problem either.  I don't care if the program crashes.  It's a
pretty dumb assembler, and it gives up and exits after the first error
anyway.

> Do you aim to prevent exploitable things like system calls or
> network/file access?

Yes, that's mainly what I was wondering wondering about.

-- 
Grant