Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #36123

Re: Yet another attempt at a safe eval() call

Path csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path <rosuav@gmail.com>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.003
X-Spam-Evidence '*H*': 0.99; '*S*': 0.00; 'operator': 0.03; 'badly': 0.07; 'calls.': 0.07; 'repeated': 0.07; 'ast': 0.09; 'happen.': 0.09; 'parsed': 0.09; 'yeah,': 0.09; 'sat,': 0.15; '"right"': 0.16; 'backslash,': 0.16; 'brackets,': 0.16; 'colons': 0.16; 'commas,': 0.16; 'disallow': 0.16; 'evaluating': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'grouping,': 0.16; 'overloaded': 0.16; 'parentheses': 0.16; 'right:': 0.16; 'wrote:': 0.17; 'jan': 0.18; '>>>': 0.18; '(or': 0.18; 'permitted': 0.22; "i've": 0.23; 'allows': 0.25; 'header:In- Reply-To:1': 0.25; 'leave': 0.26; 'am,': 0.27; 'rules': 0.27; 'heading': 0.27; 'message-id:@mail.gmail.com': 0.27; 'received:209.85.212': 0.28; 'chris': 0.28; 'argue': 0.29; 'end,': 0.29; 'enforce': 0.29; 'grouping': 0.29; 'reduced': 0.29; 'case,': 0.29; 'character': 0.29; 'probably': 0.29; 'function': 0.30; 'point': 0.31; 'handle': 0.33; 'to:addr:python-list': 0.33; 'that,': 0.34; "can't": 0.34; 'received:google.com': 0.34; 'open': 0.35; 'doing': 0.35; 'received:209.85': 0.35; 'list.': 0.35; 'but': 0.36; "didn't": 0.36; 'why': 0.37; 'received:209': 0.37; 'subject:: ': 0.38; 'some': 0.38; 'to:addr:python.org': 0.39; 'where': 0.40; 'header:Received:5': 0.40; 'most': 0.61; "you've": 0.61; 'maximum': 0.63; 'mentioned': 0.63; 'safe': 0.63; 'different': 0.63; 'road': 0.63; 'fun': 0.64; 'potentially': 0.66; 'prohibited': 0.74; '2013': 0.84; "they'd": 0.84; 'edwards': 0.91; 'try.': 0.91; 'demand': 0.96
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=oQiVDZ4a2ZBJ/8V8zdkZaA+9zJ/QJYK3UMy/oTQbimU=; b=NZ9TkM0YZTV2d7IfKIS5Yv66sA0KfRGbX4JJPhf7Ay3DhNkdfvEuFT9fo6wqF7i05r n2nIu3B6FWOE6nbRRm4Rgf1TVnqFGgDdE5kUs6fgjTErRI+l3OryHC8KPD2+e4XbnwrP rj2YMAcs0CJyKvCt/vzM/tx80S/l5QxnSaD+3BdV0EQ7kRvlmQZ86oawmv6JAZWJcwi3 9E4SAjsmzgx92EqJq6tnTqUR9bkQlUPCHJsOiEPQZ6PqWuqIqyhdcuO5xZFMS8m/DUOj EamFQXLltZ2lbk5L/3292LC79nPrRQ8iZ3YtJeXk3+MpydryO3qWj8UjoDPAyxI4yG19 5s3Q==
MIME-Version 1.0
In-Reply-To <kc72ls$3m7$1@reader1.panix.com>
References <kc541v$3e4$1@reader1.panix.com> <50e6891c$0$30003$c3e8da3$5496439d@news.astraweb.com> <kc70hb$p5$1@reader1.panix.com> <mailman.89.1357318292.2939.python-list@python.org> <kc72ls$3m7$1@reader1.panix.com>
Date Sat, 5 Jan 2013 04:21:33 +1100
Subject Re: Yet another attempt at a safe eval() call
From Chris Angelico <rosuav@gmail.com>
To python-list@python.org
Content-Type text/plain; charset=ISO-8859-1
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.15
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list/>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.91.1357320101.2939.python-list@python.org> (permalink)
Lines 38
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1357320101 news.xs4all.nl 6951 [2001:888:2000:d::a6]:54078
X-Complaints-To abuse@xs4all.nl
Xref csiph.com comp.lang.python:36123

Show key headers only | View raw

On Sat, Jan 5, 2013 at 4:14 AM, Grant Edwards <invalid@invalid.invalid> wrote:
> On 2013-01-04, Chris Angelico <rosuav@gmail.com> wrote:
>> On Sat, Jan 5, 2013 at 3:38 AM, Grant Edwards <invalid@invalid.invalid> wrote:
>
>>> I've added equals, backslash, commas, square/curly brackets, colons
>>> and semicolons to the prohibited character list. I also reduced the
>>> maximum length to 60 characters.  It's unfortunate that parentheses
>>> are overloaded for both expression grouping and for function
>>> calling...
>>
>> I have to say that an expression evaluator that can't handle parens
>> for grouping is badly flawed.
>
> Indeed.  That's why I didn't disallow parens.
>
> What I was implying was that since you have to allow parens for
> grouping, there's no simple way to disallow function calls.

Yeah, and a safe evaluator that allows function calls is highly vulnerable.

>> Can you demand that open parenthesis be preceded by an operator (or
>> beginning of line)?
>
> Yes, but once you've parsed the expression to the point where you can
> enforce rules like that, you're probably most of the way to doing the
> "right" thing and evaluating the expression using ast or pyparsing or
> similar.
>
> Some might argue that repeated tweaking of and adding limitiations to
> a "safe eval" is just heading down that same road in a different car.
> They'd probably be right: in the end, it will probably have been less
> work to just do it with ast.  But it's still interesting to try. :)

Yep, have fun with it. As mentioned earlier, though, security isn't
all that critical; so in this case, chances are you can just leave
parens permitted and let function calls potentially happen.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Yet another attempt at a safe eval() call Grant Edwards <invalid@invalid.invalid> - 2013-01-03 23:25 +0000
  Re: Yet another attempt at a safe eval() call Tim Chase <python.list@tim.thechases.com> - 2013-01-03 19:11 -0600
    Re: Yet another attempt at a safe eval() call Grant Edwards <invalid@invalid.invalid> - 2013-01-04 02:34 +0000
  Re: Yet another attempt at a safe eval() call Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-01-04 07:47 +0000
    Re: Yet another attempt at a safe eval() call Grant Edwards <invalid@invalid.invalid> - 2013-01-04 15:53 +0000
      Re: Yet another attempt at a safe eval() call Michael Torrie <torriem@gmail.com> - 2013-01-04 09:05 -0700
        Re: Yet another attempt at a safe eval() call Grant Edwards <invalid@invalid.invalid> - 2013-01-04 16:16 +0000
      Re: Yet another attempt at a safe eval() call Oscar Benjamin <oscar.j.benjamin@gmail.com> - 2013-01-05 15:56 +0000
        Re: Yet another attempt at a safe eval() call Grant Edwards <invalid@invalid.invalid> - 2013-01-06 15:12 +0000
          Re: Yet another attempt at a safe eval() call Oscar Benjamin <oscar.j.benjamin@gmail.com> - 2013-01-07 00:08 +0000
      Re: Yet another attempt at a safe eval() call Chris Angelico <rosuav@gmail.com> - 2013-01-06 03:01 +1100
      Re: Yet another attempt at a safe eval() call Oscar Benjamin <oscar.j.benjamin@gmail.com> - 2013-01-05 16:17 +0000
        Re: Yet another attempt at a safe eval() call matt.newville@gmail.com - 2013-01-05 08:40 -0800
        Re: Yet another attempt at a safe eval() call matt.newville@gmail.com - 2013-01-05 08:40 -0800
    Re: Yet another attempt at a safe eval() call Grant Edwards <invalid@invalid.invalid> - 2013-01-04 16:38 +0000
      Re: Yet another attempt at a safe eval() call Chris Angelico <rosuav@gmail.com> - 2013-01-05 03:51 +1100
        Re: Yet another attempt at a safe eval() call Grant Edwards <invalid@invalid.invalid> - 2013-01-04 17:14 +0000
          Re: Yet another attempt at a safe eval() call Chris Angelico <rosuav@gmail.com> - 2013-01-05 04:21 +1100
            Re: Yet another attempt at a safe eval() call Grant Edwards <invalid@invalid.invalid> - 2013-01-04 18:09 +0000
              Re: Yet another attempt at a safe eval() call Chris Angelico <rosuav@gmail.com> - 2013-01-05 05:23 +1100
                Re: Yet another attempt at a safe eval() call Grant Edwards <invalid@invalid.invalid> - 2013-01-04 18:43 +0000
                Re: Yet another attempt at a safe eval() call Chris Angelico <rosuav@gmail.com> - 2013-01-05 06:02 +1100
  Re: Yet another attempt at a safe eval() call Chris Rebert <clp2@rebertia.com> - 2013-01-03 23:50 -0800
  Re: Yet another attempt at a safe eval() call Terry Reedy <tjreedy@udel.edu> - 2013-01-04 07:24 -0500
    Re: Yet another attempt at a safe eval() call Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-01-04 13:33 +0000
      Re: Yet another attempt at a safe eval() call Grant Edwards <invalid@invalid.invalid> - 2013-01-04 15:59 +0000
      Re: Yet another attempt at a safe eval() call Alister <alister.ware@ntlworld.com> - 2013-01-04 18:13 +0000

csiph-web