By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,772 Members | 919 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,772 IT Pros & Developers. It's quick & easy.

eval(source, {'builtins': {}}) archived as Faq

P: n/a
Absent from http://www.python.org/doc/current/li...-in-funcs.html
but now copied to the Faq list of http://pyfaq.infogami.com/suggest,
from these clp archives:

///

Q: How can I tell Python to calculate what quoted strings and numbers
mean, without also accidentally accepting OS commands as input?

A: eval(source, {'builtins': {}})

Note: What eval may do to you remains as surprising as ever if you
mistype this idiom as: eval(source, {})

Note: This idiom makes sense of ordinary Python literals (such as 010,
0x8, 8.125e+0, and "\x45ight"). This idiom also correctly interprets
simple literal expressions, such as 64**0.5.

Sep 28 '06 #1
Share this Question
Share on Google+
4 Replies


P: n/a
p.*******@ieee.org wrote:
Absent from http://www.python.org/doc/current/li...-in-funcs.html
but now copied to the Faq list of http://pyfaq.infogami.com/suggest,
from these clp archives:

///

Q: How can I tell Python to calculate what quoted strings and numbers
mean, without also accidentally accepting OS commands as input?

A: eval(source, {'builtins': {}})

Note: What eval may do to you remains as surprising as ever if you
mistype this idiom as: eval(source, {})

Note: This idiom makes sense of ordinary Python literals (such as 010,
0x8, 8.125e+0, and "\x45ight"). This idiom also correctly interprets
simple literal expressions, such as 64**0.5.
This is an _extremely_ bad idea. _Never_ use eval in a case where you
are trying to validate input.
>>def e(source): return eval(source, {'builtins': {}})
....
>>e('__import__("sys").exit()')
Oops, the interpreter exited.

Just when you think you've covered all the bases, you haven't.

--
Erik Max Francis && ma*@alcyone.com && http://www.alcyone.com/max/
San Jose, CA, USA && 37 20 N 121 53 W && AIM, Y!M erikmaxfrancis
A man's life is what his thoughts make it.
-- Marcus Aurelius
Sep 28 '06 #2

P: n/a
p.*******@ieee.org writes:
Q: How can I tell Python to calculate what quoted strings and numbers
mean, without also accidentally accepting OS commands as input?

A: eval(source, {'builtins': {}})
That is dangerous. Consider source = "9**9**9". There's a better
recipe on ASPN:

http://aspn.activestate.com/ASPN/Coo.../Recipe/364469
Sep 28 '06 #3

P: n/a
Erik Max Francis <ma*@alcyone.comwrote:
This is an _extremely_ bad idea. _Never_ use eval in a case where you
are trying to validate input.
>def e(source): return eval(source, {'builtins': {}})
...
>e('__import__("sys").exit()')

Oops, the interpreter exited.
I'm slightly surprised that nobody has yet pointed out that the OP failed
at the very first hurdle here. If you are going to do this dangerous trick
then 'builtins' should be spelled '__builtins__':
>>def e(source): return eval(source, {'__builtins__': {}})
>>e('__import__("sys").exit()')
Traceback (most recent call last):
File "<pyshell#9>", line 1, in <module>
e('__import__("sys").exit()')
File "<pyshell#8>", line 1, in e
def e(source): return eval(source, {'__builtins__': {}})
File "<string>", line 1, in <module>
NameError: name '__import__' is not defined
>>>
but it is still not going to stop nasty things happening, it just makes
them a little more complex:
>>e("[ c for c in 1 .__class__.__bases__[0].__subclasses__() if
c.__name__=='Quitter'][0]('bang')()")

Sep 29 '06 #4

P: n/a
Duncan Booth wrote:
I'm slightly surprised that nobody has yet pointed out that the OP failed
at the very first hurdle here. If you are going to do this dangerous trick
then 'builtins' should be spelled '__builtins__':
I did, because otherwise the exploit I gave wouldn't have worked so easily.

The bottom line here is that you shouldn't even try to go through the
exercise of seeing if you can bullet-proof a solution using eval;
instead, you shouldn't even try.

--
Erik Max Francis && ma*@alcyone.com && http://www.alcyone.com/max/
San Jose, CA, USA && 37 20 N 121 53 W && AIM, Y!M erikmaxfrancis
Everyone wants to look good at his own funeral.
-- Louis Wu
Sep 29 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.