Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.albasani.net!newsreader4.netcologne.de!news.netcologne.de!xlned.com!feeder7.xlned.com!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.000 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'syntax': 0.04; 'insert': 0.05; 'subject:Python': 0.06; "'',": 0.07; 'expressions': 0.07; 'linux,': 0.07; 'permitted': 0.07; 'see:': 0.07; 'expected.': 0.09; 'expression:': 0.09; 'facts': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'subject:using': 0.09; 'way:': 0.09; 'url:blog': 0.10; 'python': 0.11; '2.7': 0.14; "%s'": 0.16; '2.7.3': 0.16; '[name': 0.16; 'after,': 0.16; 'expression,': 0.16; 'expression.': 0.16; 'i.e': 0.16; 'identifiers,': 0.16; 'namespace,': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'simplest': 0.16; 'stack:': 0.16; 'surprises': 0.16; 'unnamed': 0.16; 'prevent': 0.16; 'wrote:': 0.18; 'trying': 0.19; '>>>': 0.22; 'import': 0.22; 'header:User-Agent:1': 0.23; "aren't": 0.24; 'documented': 0.24; "shouldn't": 0.24; 'subject: .': 0.24; 'looks': 0.24; 'environment': 0.24; 'values': 0.27; 'header:X-Complaints-To:1': 0.27; 'header:In-Reply-To:1': 0.27; 'raise': 0.29; 'wonder': 0.29; "doesn't": 0.30; 'errors': 0.30; "i'm": 0.30; 'code': 0.31; 'serve': 0.31; "skip:' 10": 0.31; '"",': 0.31; '>>>>': 0.31; 'accidentally': 0.31; 'bug?': 0.31; 'names.': 0.31; 'ok.': 0.31; 'piece': 0.31; 'probably': 0.32; 'run': 0.32; 'text': 0.33; 'are:': 0.33; 'but': 0.35; 'there': 0.35; 'version': 0.36; 'really': 0.36; '2.6': 0.36; 'doubt': 0.36; 'similar': 0.36; 'example,': 0.37; 'so,': 0.37; 'list': 0.37; 'starting': 0.37; 'step': 0.37; 'being': 0.38; 'e.g.': 0.38; 'hat': 0.38; 'version,': 0.38; 'to:addr:python-list': 0.38; 'files': 0.38; 'pm,': 0.38; 'little': 0.38; 'anything': 0.39; 'expect': 0.39; 'subject:[': 0.39; 'embedded': 0.39; 'to:addr:python.org': 0.39; 'received:org': 0.40; 'skip:u 10': 0.60; 'hope': 0.61; "you're": 0.61; "you've": 0.63; 'email addr:gmail.com': 0.63; 'name': 0.63; 'story': 0.63; 'real': 0.63; 'such': 0.63; 'skip:n 10': 0.64; 'more': 0.64; 'determine': 0.67; 'details,': 0.68; 'invalid': 0.68; 'safe': 0.72; 'whitelist': 0.84; 'do:': 0.91; 'examine': 0.93 X-Injected-Via-Gmane: http://gmane.org/ To: python-list@python.org From: Ned Batchelder Subject: Re: '_[1]' in .co_names using builtin compile() in Python 2.6 Date: Wed, 27 Nov 2013 15:09:32 -0500 References: <6cdefe87-5703-4caf-91c0-b4a02674a1e5@googlegroups.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Gmane-NNTP-Posting-Host: 18.189.97.191 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 In-Reply-To: <6cdefe87-5703-4caf-91c0-b4a02674a1e5@googlegroups.com> X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 91 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1385582986 news.xs4all.nl 15923 [2001:888:2000:d::a6]:55594 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:60632 On 11/27/13 2:40 PM, magnus.lycka@gmail.com wrote: > When I run e.g. compile('sin(5) * cos(6)', '', 'eval').co_names, I get ('sin', 'cos'), which is just what I expected. > > But when I have a list comprehension in the expression, I get a little surprise: >>>> compile('[x*x for x in y]', '', 'eval').co_names > ('_[1]', 'y', 'x') >>>> > > This happens in Python 2.6.6 on Red Hat Linux, but not when I run Python 2.7.3 in Windows. Unfortunately I'm stuck with 2.6. > > * Are there more surprises similar to this one that I can expect from compile(...).co_names? Is this "behaviour" documented somewhere? > That name is the name of the list being built by the comprehension, which I found out by disassembling the code object to see the bytecodes: >>> co = compile("[x*x for x in y]", "", "eval") >>> co.co_names ('_[1]', 'y', 'x') >>> import dis >>> dis.dis(co) 1 0 BUILD_LIST 0 3 DUP_TOP 4 STORE_NAME 0 (_[1]) 7 LOAD_NAME 1 (y) 10 GET_ITER >> 11 FOR_ITER 17 (to 31) 14 STORE_NAME 2 (x) 17 LOAD_NAME 0 (_[1]) 20 LOAD_NAME 2 (x) 23 LOAD_NAME 2 (x) 26 BINARY_MULTIPLY 27 LIST_APPEND 28 JUMP_ABSOLUTE 11 >> 31 DELETE_NAME 0 (_[1]) 34 RETURN_VALUE The same list comprehension in 2.7 uses an unnamed list on the stack: 1 0 BUILD_LIST 0 3 LOAD_NAME 0 (y) 6 GET_ITER >> 7 FOR_ITER 16 (to 26) 10 STORE_NAME 1 (x) 13 LOAD_NAME 1 (x) 16 LOAD_NAME 1 (x) 19 BINARY_MULTIPLY 20 LIST_APPEND 2 23 JUMP_ABSOLUTE 7 >> 26 RETURN_VALUE I don't know whether such facts are documented. They are deep implementation details, and change from version to version, as you've seen. > * Is there perhaps a better way to achieve what I'm trying to do? > > What I'm really after, is to check that python expressions embedded in text files are: > - well behaved (no syntax errors etc) > - don't accidentally access anything it shouldn't > - I serve them with the values they need on execution I hope you aren't trying to prevent malice this way: you cannot examine a piece of Python code to prove that it's safe to execute. For an extreme example, see: Eval Really Is Dangerous: http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html In your environment it looks like you have a whitelist of identifiers, so you're probably ok. > > So, in the case of "a.b + x" I'm really just interested in a and x, not b. So the (almost) whole story is that I do: > > # Find names not starting with ".", i.e a & b in "a.c + b" > abbr_expr = re.sub(r"\.\w+", "", expr) > names = compile(abbr_expr, '', 'eval').co_names > # Python 2.6 returns '_[1]' in co_names for list comprehension. Bug? > names = [name for name in names if re.match(r'\w+$', name)] > > for name in names: > if name not in allowed_names: > raise NameError('Name: %s not permitted in expression: %s' % (name, expr)) > I don't know of a better way to determine the real names in the expression. I doubt Python will insert a valid name into the namespace, since it doesn't want to step on real user names. The simplest way to do that is to autogenerate invalid names, like "_[1]" (I wonder why it isn't "_[0]"?) --Ned.