Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #45644
| Path | csiph.com!usenet.pasdenom.info!gegeweb.org!newsfeed.kamp.net!newsfeed.kamp.net!newsfeed.freenet.ag!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <python-python-list@m.gmane.org> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.002 |
| X-Spam-Evidence | '*H*': 1.00; '*S*': 0.00; 'example:': 0.03; 'url:pypi': 0.03; 'class,': 0.07; 'explicit': 0.07; 'subject:Question': 0.07; 'currently,': 0.09; 'if,': 0.09; 'namespace': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'subject:skip:a 10': 0.09; 'python': 0.11; 'ast': 0.16; 'definitions,': 0.16; 'dictionary),': 0.16; 'disallow': 0.16; 'expression.': 0.16; 'for,': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'syntax,': 0.16; 'wrote:': 0.18; 'module': 0.19; 'seems': 0.21; '>>>': 0.22; 'code,': 0.22; 'import': 0.22; 'header:User-Agent:1': 0.23; 'supported': 0.26; 'defined': 0.27; 'header:X-Complaints-To:1': 0.27; 'header:In- Reply-To:1': 0.27; 'function': 0.29; 'concern': 0.31; 'exceptions': 0.31; 'maintaining': 0.32; 'url:python': 0.33; 'skip:_ 10': 0.34; 'but': 0.35; 'there': 0.35; 'thanks': 0.36; 'url:org': 0.36; 'to:addr:python-list': 0.38; 'does': 0.39; 'to:addr:python.org': 0.39; 'received:org': 0.40; 'skip:u 10': 0.60; 'flat': 0.60; 'most': 0.60; "you're": 0.61; 'email addr:gmail.com': 0.63; 'name': 0.63; 'protection': 0.63; 'skip:n 10': 0.64; 'relatively': 0.65; 'worth': 0.66; 'biggest': 0.67; 'frank': 0.68; 'useful.': 0.68; 'safe': 0.72; 'guaranteed': 0.75; 'attacks.': 0.84; 'calculations': 0.84; 'exposing': 0.91; 'notable': 0.91; 'walking': 0.91 |
| X-Injected-Via-Gmane | http://gmane.org/ |
| To | python-list@python.org |
| From | Frank Millman <frank@chagford.com> |
| Subject | Re: Question about ast.literal_eval |
| Date | Tue, 21 May 2013 07:54:28 +0200 |
| References | <mailman.1863.1369033561.3114.python-list@python.org> <bd9faee1-5b93-46d6-b403-091bf071cc77@googlegroups.com> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=ISO-8859-1; format=flowed |
| Content-Transfer-Encoding | 7bit |
| X-Gmane-NNTP-Posting-Host | 197.87.30.233 |
| User-Agent | Mozilla/5.0 (Windows NT 5.2; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 |
| In-Reply-To | <bd9faee1-5b93-46d6-b403-091bf071cc77@googlegroups.com> |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.1904.1369115684.3114.python-list@python.org> (permalink) |
| Lines | 29 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1369115684 news.xs4all.nl 15991 [2001:888:2000:d::a6]:39184 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:45644 |
Show key headers only | View raw
On 21/05/2013 04:39, matt.newville@gmail.com wrote:
>
> You might find the asteval module (https://pypi.python.org/pypi/asteval) useful. It provides a relatively safe "eval", for example:
>
> >>> import asteval
> >>> a = asteval.Interpreter()
> >>> a.eval('x = "abc"')
> >>> a.eval('x in ("abc", "xyz")')
> True
> >>> a.eval('import os')
> NotImplementedError
> import os
> 'Import' not supported
> >>> a.eval('__import__("os")')
> NameError
> __import__("os")
> name '__import__' is not defined
>
> This works by maintaining an internal namespace (a flat dictionary), and walking the AST generated for the expression. It supports most Python syntax,
> including if, for, while, and try/except blocks, and function definitions, and with the notable exceptions of eval, exec, class, lambda, yield, and import. This requires Python2.6 and higher, and does work with Python3.3.
>
> Of course, it is not guaranteed to be completely safe, but it does disallow imports, which seems like the biggest vulnerability concern listed here. Currently, there is no explicit protection against long-running calculations for denial of service attacks. If you're exposing an SQL database to user-generated code, that may be worth considering.
Thanks for this, Matt. I will definitely look into it.
Frank
Back to comp.lang.python | Previous | Next — Previous in thread | Find similar | Unroll thread
Question about ast.literal_eval Frank Millman <frank@chagford.com> - 2013-05-20 09:05 +0200
Re: Question about ast.literal_eval matt.newville@gmail.com - 2013-05-20 19:39 -0700
Re: Question about ast.literal_eval Frank Millman <frank@chagford.com> - 2013-05-21 07:54 +0200
csiph-web