Safe eval of insecure strings containing Python data structures?

Warren DeLano

I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form:

# For example, given a "config.txt" such as:

{
'my_atom' : 1.20,
'my_dict' : { 2:50 , 'hi':'mom'},
'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ]
}

# I would like to do something like this:

empty_space = {'__builtins__' : {}}

try:
config = eval(open("config.txt").read(), empty_space, empty_space)
except:
config = {}

print config

# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...

So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?

Thanks in advance for any pointers!

Cheers,
Warren

Oct 9 '08 #1

Subscribe Post Reply

1901

George Sakkis

On Oct 8, 8:34*pm, "Warren DeLano" <war...@delsci.comwrote:

I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form: *

# For example, given a "config.txt" such as:

{
* 'my_atom' : 1.20,
* 'my_dict' : { 2:50 , 'hi':'mom'},
* 'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ]

}

# I would like to do something like this:

empty_space = {'__builtins__' : {}}

try:
* * config = eval(open("config.txt").read(), empty_space, empty_space)
except:
* * config = {}

print config

# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...

So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?

Thanks in advance for any pointers!

This topic comes up every other month or so in this list, so if you
had taken a minute to search for "python safe eval" or a variation
thereof in your favorite search engine, you'd get more than enough
pointers.

George

Oct 9 '08 #2

Aaron \Castironpi\ Brady

On Oct 8, 7:34*pm, "Warren DeLano" <war...@delsci.comwrote:

I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form: *

....

# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...

So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?

Thanks in advance for any pointers!

Cheers,
Warren

As mentioned, I don't know if everything has been tried or how secure
what attempts have been. I haven't seen this one:

Python 2.6 (r26:66721, Oct 2 2008, 11:35:03) [MSC v.1500 32 bit
(Intel)] on win
32
Type "help", "copyright", "credits" or "license" for more information.

>>del __builtins__
a= [ x for x in (1).__class__.__bases__[0].__subclasses__() if x.__name__==

'file' ][ 0 ]

>>a

>>a('abc.txt','w')

Traceback (most recent call last):
File "<stdin>", line 1, in <module>
IOError: file() constructor not accessible in restricted mode

>>import os

Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: __import__ not found

So, at least one of the newsgroup favorites is gone. Take a shot
though! Maybe a variant would be sufficient. No warranty.

Oct 9 '08 #3

franck

I would like to parse arbitrary insecure text string containing nested

Python data structures in eval-compatible form: *

Python 2.6 has ast.literal_eval to do exactly this. It handle lists,
tuples, dict, numbers, strings, bool and None, with arbitrary nesting.

Cheers,
Franck

Oct 9 '08 #4

Similar topics

Mutable strings

by: Gordon Airport | last post by:

Has anyone suggested introducing a mutable string type (yes, of course) and distinguishing them from standard strings by the quote type - single or double? As far as I know ' and " are currently...

Python

is there a safe marshaler?

by: Irmen de Jong | last post by:

Pickle and marshal are not safe. They can do harmful things if fed maliciously constructed data. That is a pity, because marshal is fast. I need a fast and safe (secure) marshaler. Is xdrlib the...

Python

The Running Time of += on Char Strings ?

by: Edg Bamyasi | last post by:

This Is A Late Cross Post from comp.lang.python. It seems the mistery is deeper then i expected. What is the running time of conactination on character strings. i.e. >> joe="123" >>...

Python

Safe eval, or how to get list from string

by: bwooster47 | last post by:

I've to use ConfigParser. It returns values that are exactly in the config file, so get string variables like: int1 with quotes and characers: "42" this is easy to convert to int: realint =...

Python

Text-Based Windows Library

by: hstagni | last post by:

Where can I find a library to created text-based windows applications? Im looking for a library that can make windows and buttons inside console.. Many old apps were make like this, i guess ...

C / C++

Simple eval

by: =?ISO-8859-1?Q?Tor_Erik_S=F8nvisen?= | last post by:

Hi, A while ago I asked a question on the list about a simple eval function, capable of eval'ing simple python constructs (tuples, dicts, lists, strings, numbers etc) in a secure manner:...

Python

Re: Simple and safe evaluator

by: bvdp | last post by:

I'm finding my quest for a safe eval() quite frustrating :) Any comments on this: Just forget about getting python to do this and, instead, grab my set of values (from a user supplied text file)...

Python

eval() == evil? --- How to use it safely?

by: Fett | last post by:

I am creating a program that requires some data that must be kept up to date. What I plan is to put this data up on a web-site then have the program periodically pull the data off the web-site. ...