Path: csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!newsreader4.netcologne.de!news.netcologne.de!xlned.com!feeder7.xlned.com!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <oscar.j.benjamin@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.006
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'algorithm': 0.03; 'that?': 0.05; 'pypi': 0.07; 'suppose': 0.07; 'python': 0.09; '(it': 0.09; 'ast': 0.09; '"right"': 0.16; 'benjamin': 0.16; 'googling': 0.16; 'to:name:python list': 0.16; 'wrote:': 0.17; 'library,': 0.17; 'thu,': 0.17; 'jan': 0.18; 'obviously': 0.18; '>>>': 0.18; 'module': 0.19; 'file.': 0.20; 'do.': 0.21; 'header:In-Reply- To:1': 0.25; 'url:wiki': 0.26; 'possibility': 0.27; 'module.': 0.27; 'message-id:@mail.gmail.com': 0.27; '>>>>': 0.29; 'arithmetic': 0.29; "d'aprano": 0.29; 'steven': 0.29; 'url:wikipedia': 0.29; 'source': 0.29; 'figure': 0.30; 'helpful': 0.30; 'code': 0.31; 'to:addr:python-list': 0.33; 'received:google.com': 0.34; 'remote': 0.35; "won't": 0.35; 'received:209.85': 0.35; 'something': 0.35; 'there': 0.35; 'created': 0.36; 'but': 0.36; 'url:org': 0.36; "didn't": 0.36; 'useful': 0.36; 'should': 0.36; 'possible': 0.37; 'does': 0.37; 'why': 0.37; '(for': 0.37; 'rather': 0.37; 'received:209': 0.37; 'subject:: ': 0.38; 'some': 0.38; 'url:en': 0.38; 'to:addr:python.org': 0.39; 'called': 0.39; 'little': 0.39; 'header:Received:5': 0.40; 'your': 0.60; 'most': 0.61; 'more': 0.63; 'legal': 0.65; '2013': 0.84; 'oscar': 0.84; 'presumably': 0.84; 'edwards': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=t06uqvxZOVqvsKz4TDjme2tv83ZJJlLOIbgsytFulUs=; b=NrqXf8d9BzTFoMbNHUe73hTfZpkspwuTYB3sk6DYwHrgdllY0moh+0qxt9wZvNh/lr CPyLXfGWCJ+gEwDMXu7xfxbWSYNmjL7qI523aK0idRFNquIDhjWCKMTFjy1JOsObtQS/ 9xIkf2oajlgURiny+e5kEM9IGDyevzUq2wNO0eVahqF0tVip2XO+m69cDhdh9VXd+biC Maqq7CbI1MZIs6LQ6qbpX7dAHuoJUzFhbGdAKh8AouCMPtCszqe8+eGTUpBiMjkdhqsM qh3AEeursA5JXc+TCZLpfqE/cTN2eGyv1KeAZ+SoKMUZyyV2lkwjUE6ZNYO8iv7ayiLJ AC2A==
MIME-Version: 1.0
In-Reply-To: <kcc49e$aii$1@reader1.panix.com>
References: <kc541v$3e4$1@reader1.panix.com> <50e6891c$0$30003$c3e8da3$5496439d@news.astraweb.com> <kc6tu3$s34$1@reader1.panix.com> <mailman.126.1357401393.2939.python-list@python.org> <kcc49e$aii$1@reader1.panix.com>
Date: Mon, 7 Jan 2013 00:08:07 +0000
Subject: Re: Yet another attempt at a safe eval() call
From: Oscar Benjamin <oscar.j.benjamin@gmail.com>
To: Python List <python-list@python.org>
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.200.1357517295.2939.python-list@python.org>
Lines: 32
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1357517295 news.xs4all.nl 6966 [2001:888:2000:d::a6]:49794
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:36309

On 6 January 2013 15:12, Grant Edwards <invalid@invalid.invalid> wrote:
> On 2013-01-05, Oscar Benjamin <oscar.j.benjamin@gmail.com> wrote:
>> On 4 January 2013 15:53, Grant Edwards <invalid@invalid.invalid> wrote:
>>> On 2013-01-04, Steven D'Aprano <steve+comp.lang.python@pearwood.info> wrote:
>>>> On Thu, 03 Jan 2013 23:25:51 +0000, Grant Edwards wrote:
>>>>
>>>> * But frankly, you should avoid eval, and write your own mini-integer
>>>>   arithmetic evaluator which avoids even the most remote possibility
>>>>   of exploit.
>>>
>>> That's obviously the "right" thing to do.  I suppose I should figure
>>> out how to use the ast module.
>>
>> Someone has already created a module that does this called numexpr. Is
>> there some reason why you don't want to use that?
>
> 1) I didn't know about it, and my Googling didn't find it.
>
> 2) It's not part of the standard library, and my program needs to be
>    distributed as a single source file.

That's an unfortunate restriction. It also won't be possible to reuse
the code from numexpr (for technical rather than legal reasons).
Perhaps asteval will be more helpful in that sense.

Otherwise presumably the shunting-yard algorithm comes out a little
nicer in Python than in C (it would be useful if something like this
were available on PyPI as a pure Python module):
http://en.wikipedia.org/wiki/Shunting_yard_algorithm#C_example


Oscar