use strings to call functions
in [Python]
|
From: Jean-Michel Pichavant on 8 Feb 2010 20:50 Aahz wrote: > In article <0efe23a6-b16d-4f92-8bc0-12d056bf599d(a)z26g2000yqm.googlegroups.com>, > OdarR <olivier.darge(a)gmail.com> wrote: > >> and with eval(), did you try ? >> > > WARNING: eval() is almost always the wrong answer to any question > Some say that eval is evil ! JM
From: Steven D'Aprano on 8 Feb 2010 20:51 On Mon, 08 Feb 2010 14:43:46 -0800, Aahz wrote: >>> WARNING: eval() is almost always the wrong answer to any question >> >>warning : it works ! > > Works for what? Code injection security bugs, of course. http://en.wikipedia.org/wiki/Code_injection It is surprisingly difficult to sanitize strings in Python to make them safe to pass to eval. Unless you are prepared to trust the input data explicitly, it's best to just avoid eval. -- Steven
From: Paul Rudin on 9 Feb 2010 02:29 Steven D'Aprano <steven(a)REMOVE.THIS.cybersource.com.au> writes: > On Mon, 08 Feb 2010 14:43:46 -0800, Aahz wrote: > >>>> WARNING: eval() is almost always the wrong answer to any question >>> >>>warning : it works ! >> >> Works for what? > > Code injection security bugs, of course. > > http://en.wikipedia.org/wiki/Code_injection > > It is surprisingly difficult to sanitize strings in Python to make them > safe to pass to eval. Unless you are prepared to trust the input data > explicitly, it's best to just avoid eval. Despite the fact that it's used in the standard library...
From: Steven D'Aprano on 9 Feb 2010 03:11 On Tue, 09 Feb 2010 07:29:33 +0000, Paul Rudin wrote: >> It is surprisingly difficult to sanitize strings in Python to make them >> safe to pass to eval. Unless you are prepared to trust the input data >> explicitly, it's best to just avoid eval. > > Despite the fact that it's used in the standard library... Wisely or not, the standard library implicitly trusts it's input. That's one of the many reasons why it's so hard to have a restricted subset of Python. -- Steven
From: Stefan Behnel on 9 Feb 2010 05:01
Klaus Neuner, 09.02.2010 10:04: > my program is supposed to parse files that I have created myself and that > are on my laptop. It is not supposed to interact with anybody else > than me. Famous last words. Stefan |