Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #95570 > unrolled thread
| Started by | Chris Angelico <rosuav@gmail.com> |
|---|---|
| First post | 2015-08-23 09:44 +1000 |
| Last post | 2015-08-23 09:44 +1000 |
| Articles | 1 — 1 participant |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: Sandboxing Python Chris Angelico <rosuav@gmail.com> - 2015-08-23 09:44 +1000
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2015-08-23 09:44 +1000 |
| Subject | Re: Sandboxing Python |
| Message-ID | <mailman.20.1440287102.17298.python-list@python.org> |
On Sun, Aug 23, 2015 at 9:25 AM, Mark Lawrence <breamoreboy@yahoo.co.uk> wrote: > I was always led to believe that the subject was a difficult thing to do, > but here > https://www.reddit.com/r/learnpython/comments/3huz4x/how_to_do_math_inside_raw_input/ > is a safe solution in only 23 characters, or are there any discernable flaws > in it? I'm sorry, I can't see which solution you're talking about there - maybe I just don't know how to read reddit properly. Can you paste the proposed code please? The best I can see there is "use eval but with no builtins". That's fundamentally flawed because you don't need builtins to break stuff. All you need is a literal, from which you can snag everything else via its attributes. However, for this situation, I would be recommending ast.literal_eval, which *is* safe. It's a lot more powerful than "split it into number, operator, number" as mentioned at the end, but still can't majorly break anything. ChrisA
Back to top | Article view | comp.lang.python
csiph-web