eval(source, {'builtins': {}}) archived as Faq

[p.lavarre]

Absent from http://www.python.org/doc/current/lib/built-in-funcs.html
but now copied to the Faq list of http://pyfaq.infogami.com/suggest,
from these clp archives:

///

Q: How can I tell Python to calculate what quoted strings and numbers
mean, without also accidentally accepting OS commands as input?

A: eval(source, {'builtins': {}})

Note: What eval may do to you remains as surprising as ever if you
mistype this idiom as: eval(source, {})

Note: This idiom makes sense of ordinary Python literals (such as 010,
0x8, 8.125e+0, and "\x45ight"). This idiom also correctly interprets
simple literal expressions, such as 64**0.5.

 

[Erik Max Francis]

Absent from http://www.python.org/doc/current/lib/built-in-funcs.html
but now copied to the Faq list of http://pyfaq.infogami.com/suggest,
from these clp archives:

///

Q: How can I tell Python to calculate what quoted strings and numbers
mean, without also accidentally accepting OS commands as input?

A: eval(source, {'builtins': {}})

Note: What eval may do to you remains as surprising as ever if you
mistype this idiom as: eval(source, {})

Note: This idiom makes sense of ordinary Python literals (such as 010,
0x8, 8.125e+0, and "\x45ight"). This idiom also correctly interprets
simple literal expressions, such as 64**0.5.

This is an _extremely_ bad idea. _Never_ use eval in a case where you
are trying to validate input.

Oops, the interpreter exited.

Just when you think you've covered all the bases, you haven't.

 

[Paul Rubin]

Q: How can I tell Python to calculate what quoted strings and numbers
mean, without also accidentally accepting OS commands as input?

A: eval(source, {'builtins': {}})

That is dangerous. Consider source = "9**9**9". There's a better
recipe on ASPN:

http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/364469

 

[Duncan Booth]

This is an _extremely_ bad idea. _Never_ use eval in a case where you
are trying to validate input.


Oops, the interpreter exited.

I'm slightly surprised that nobody has yet pointed out that the OP failed
at the very first hurdle here. If you are going to do this dangerous trick
then 'builtins' should be spelled '__builtins__':

Traceback (most recent call last):
File "<pyshell#9>", line 1, in <module>
e('__import__("sys").exit()')
File "<pyshell#8>", line 1, in e
def e(source): return eval(source, {'__builtins__': {}})

but it is still not going to stop nasty things happening, it just makes
them a little more complex:

e("[ c for c in 1 .__class__.__bases__[0].__subclasses__() if

c.__name__=='Quitter'][0]('bang')()")

 

[Erik Max Francis]

I'm slightly surprised that nobody has yet pointed out that the OP failed
at the very first hurdle here. If you are going to do this dangerous trick
then 'builtins' should be spelled '__builtins__':

I did, because otherwise the exploit I gave wouldn't have worked so easily.

The bottom line here is that you shouldn't even try to go through the
exercise of seeing if you can bullet-proof a solution using eval;
instead, you shouldn't even try.