By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,275 Members | 1,308 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,275 IT Pros & Developers. It's quick & easy.

Safe eval of insecure strings containing Python data structures?

P: n/a

I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form:

# For example, given a "config.txt" such as:

{
'my_atom' : 1.20,
'my_dict' : { 2:50 , 'hi':'mom'},
'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ]
}

# I would like to do something like this:

empty_space = {'__builtins__' : {}}

try:
config = eval(open("config.txt").read(), empty_space, empty_space)
except:
config = {}

print config

# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...

So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?

Thanks in advance for any pointers!

Cheers,
Warren
Oct 9 '08 #1
Share this Question
Share on Google+
3 Replies


P: n/a
On Oct 8, 8:34*pm, "Warren DeLano" <war...@delsci.comwrote:
I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form: *

# For example, given a "config.txt" such as:

{
* 'my_atom' : 1.20,
* 'my_dict' : { 2:50 , 'hi':'mom'},
* 'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ]

}

# I would like to do something like this:

empty_space = {'__builtins__' : {}}

try:
* * config = eval(open("config.txt").read(), empty_space, empty_space)
except:
* * config = {}

print config

# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...

So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?

Thanks in advance for any pointers!
This topic comes up every other month or so in this list, so if you
had taken a minute to search for "python safe eval" or a variation
thereof in your favorite search engine, you'd get more than enough
pointers.

George
Oct 9 '08 #2

P: n/a
On Oct 8, 7:34*pm, "Warren DeLano" <war...@delsci.comwrote:
I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form: *
....
# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...

So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?

Thanks in advance for any pointers!

Cheers,
Warren
As mentioned, I don't know if everything has been tried or how secure
what attempts have been. I haven't seen this one:

Python 2.6 (r26:66721, Oct 2 2008, 11:35:03) [MSC v.1500 32 bit
(Intel)] on win
32
Type "help", "copyright", "credits" or "license" for more information.
>>del __builtins__
a= [ x for x in (1).__class__.__bases__[0].__subclasses__() if x.__name__==
'file' ][ 0 ]
>>a
<type 'file'>
>>a('abc.txt','w')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
IOError: file() constructor not accessible in restricted mode
>>import os
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: __import__ not found

So, at least one of the newsgroup favorites is gone. Take a shot
though! Maybe a variant would be sufficient. No warranty.
Oct 9 '08 #3

P: n/a
I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form: *
Python 2.6 has ast.literal_eval to do exactly this. It handle lists,
tuples, dict, numbers, strings, bool and None, with arbitrary nesting.

Cheers,
Franck
Oct 9 '08 #4

This discussion thread is closed

Replies have been disabled for this discussion.