Path: csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.003
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'operator': 0.03; 'badly': 0.07; 'calls.': 0.07; 'repeated': 0.07; 'ast': 0.09; 'happen.': 0.09; 'parsed': 0.09; 'yeah,': 0.09; 'sat,': 0.15; '"right"': 0.16; 'backslash,': 0.16; 'brackets,': 0.16; 'colons': 0.16; 'commas,': 0.16; 'disallow': 0.16; 'evaluating': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'grouping,': 0.16; 'overloaded': 0.16; 'parentheses': 0.16; 'right:': 0.16; 'wrote:': 0.17; 'jan': 0.18; '>>>': 0.18; '(or': 0.18; 'permitted': 0.22; "i've": 0.23; 'allows': 0.25; 'header:In- Reply-To:1': 0.25; 'leave': 0.26; 'am,': 0.27; 'rules': 0.27; 'heading': 0.27; 'message-id:@mail.gmail.com': 0.27; 'received:209.85.212': 0.28; 'chris': 0.28; 'argue': 0.29; 'end,': 0.29; 'enforce': 0.29; 'grouping': 0.29; 'reduced': 0.29; 'case,': 0.29; 'character': 0.29; 'probably': 0.29; 'function': 0.30; 'point': 0.31; 'handle': 0.33; 'to:addr:python-list': 0.33; 'that,': 0.34; "can't": 0.34; 'received:google.com': 0.34; 'open': 0.35; 'doing': 0.35; 'received:209.85': 0.35; 'list.': 0.35; 'but': 0.36; "didn't": 0.36; 'why': 0.37; 'received:209': 0.37; 'subject:: ': 0.38; 'some': 0.38; 'to:addr:python.org': 0.39; 'where': 0.40; 'header:Received:5': 0.40; 'most': 0.61; "you've": 0.61; 'maximum': 0.63; 'mentioned': 0.63; 'safe': 0.63; 'different': 0.63; 'road': 0.63; 'fun': 0.64; 'potentially': 0.66; 'prohibited': 0.74; '2013': 0.84; "they'd": 0.84; 'edwards': 0.91; 'try.': 0.91; 'demand': 0.96
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=oQiVDZ4a2ZBJ/8V8zdkZaA+9zJ/QJYK3UMy/oTQbimU=; b=NZ9TkM0YZTV2d7IfKIS5Yv66sA0KfRGbX4JJPhf7Ay3DhNkdfvEuFT9fo6wqF7i05r n2nIu3B6FWOE6nbRRm4Rgf1TVnqFGgDdE5kUs6fgjTErRI+l3OryHC8KPD2+e4XbnwrP rj2YMAcs0CJyKvCt/vzM/tx80S/l5QxnSaD+3BdV0EQ7kRvlmQZ86oawmv6JAZWJcwi3 9E4SAjsmzgx92EqJq6tnTqUR9bkQlUPCHJsOiEPQZ6PqWuqIqyhdcuO5xZFMS8m/DUOj EamFQXLltZ2lbk5L/3292LC79nPrRQ8iZ3YtJeXk3+MpydryO3qWj8UjoDPAyxI4yG19 5s3Q==
MIME-Version: 1.0
In-Reply-To: <kc72ls$3m7$1@reader1.panix.com>
References: <kc541v$3e4$1@reader1.panix.com> <50e6891c$0$30003$c3e8da3$5496439d@news.astraweb.com> <kc70hb$p5$1@reader1.panix.com> <mailman.89.1357318292.2939.python-list@python.org> <kc72ls$3m7$1@reader1.panix.com>
Date: Sat, 5 Jan 2013 04:21:33 +1100
Subject: Re: Yet another attempt at a safe eval() call
From: Chris Angelico <rosuav@gmail.com>
To: python-list@python.org
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.91.1357320101.2939.python-list@python.org>
Lines: 38
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1357320101 news.xs4all.nl 6951 [2001:888:2000:d::a6]:54078
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:36123

On Sat, Jan 5, 2013 at 4:14 AM, Grant Edwards <invalid@invalid.invalid> wrote:
> On 2013-01-04, Chris Angelico <rosuav@gmail.com> wrote:
>> On Sat, Jan 5, 2013 at 3:38 AM, Grant Edwards <invalid@invalid.invalid> wrote:
>
>>> I've added equals, backslash, commas, square/curly brackets, colons
>>> and semicolons to the prohibited character list. I also reduced the
>>> maximum length to 60 characters.  It's unfortunate that parentheses
>>> are overloaded for both expression grouping and for function
>>> calling...
>>
>> I have to say that an expression evaluator that can't handle parens
>> for grouping is badly flawed.
>
> Indeed.  That's why I didn't disallow parens.
>
> What I was implying was that since you have to allow parens for
> grouping, there's no simple way to disallow function calls.

Yeah, and a safe evaluator that allows function calls is highly vulnerable.

>> Can you demand that open parenthesis be preceded by an operator (or
>> beginning of line)?
>
> Yes, but once you've parsed the expression to the point where you can
> enforce rules like that, you're probably most of the way to doing the
> "right" thing and evaluating the expression using ast or pyparsing or
> similar.
>
> Some might argue that repeated tweaking of and adding limitiations to
> a "safe eval" is just heading down that same road in a different car.
> They'd probably be right: in the end, it will probably have been less
> work to just do it with ast.  But it's still interesting to try. :)

Yep, have fun with it. As mentioned earlier, though, security isn't
all that critical; so in this case, chances are you can just leave
parens permitted and let function calls potentially happen.

ChrisA