Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #95570
| References | <mrb0eh$2md$1@ger.gmane.org> |
|---|---|
| Date | 2015-08-23 09:44 +1000 |
| Subject | Re: Sandboxing Python |
| From | Chris Angelico <rosuav@gmail.com> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.20.1440287102.17298.python-list@python.org> (permalink) |
On Sun, Aug 23, 2015 at 9:25 AM, Mark Lawrence <breamoreboy@yahoo.co.uk> wrote: > I was always led to believe that the subject was a difficult thing to do, > but here > https://www.reddit.com/r/learnpython/comments/3huz4x/how_to_do_math_inside_raw_input/ > is a safe solution in only 23 characters, or are there any discernable flaws > in it? I'm sorry, I can't see which solution you're talking about there - maybe I just don't know how to read reddit properly. Can you paste the proposed code please? The best I can see there is "use eval but with no builtins". That's fundamentally flawed because you don't need builtins to break stuff. All you need is a literal, from which you can snag everything else via its attributes. However, for this situation, I would be recommending ast.literal_eval, which *is* safe. It's a lot more powerful than "split it into number, operator, number" as mentioned at the end, but still can't majorly break anything. ChrisA
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Sandboxing Python Chris Angelico <rosuav@gmail.com> - 2015-08-23 09:44 +1000
csiph-web