Re: Eval (was Re: Question about using python as a scripting language)

Discussion in 'Python' started by Chris Lambacher, Aug 9, 2006.

  1. On Wed, Aug 09, 2006 at 11:51:19AM -0400, Brendon Towle wrote:
    > On 9 Aug 2006, at 11:04 AM, Chris Lambacher wrote:
    >
    > How is your data stored? (site was not loading for me).
    >
    > In the original source HTML, it's like this (I've deleted all but the
    > beginning and the end of the list for clarity):
    > var table_body = [
    > ["ATVI", "Activision, Inc.",12.75,0.150000,1.19,2013762,0.04,"N","N"]
    > ,["YHOO", "Yahoo! Inc.",27.7,0.260000,0.95,6348884,0.21,"N","N"]
    > ];

    I didn't realize it was javascript syntax, a json implimentation would
    probably work for you: http://cheeseshop.python.org/pypi/simplejson

    >
    > More sophisiticated situations (like nested lists) may require something
    > like pyparsing.
    >
    > I could do that, or I could do something like the re.* trick mentioned by
    > another poster. But, doesn't it offend anyone else that the only clean way
    > to access functionality that's already in Python is to write long
    > complicated Python code? Python already knows how to extract a list object
    > from a string; why should I have to rewrite that?

    I don't disagree with you. The problem is that the obvious way to do it
    (eval) is a big security hole. In this case you are trusting that no one
    inserts themselves between you and the website providing you with code to
    EXECUTE. I have heard of people attempting to use the parser provided with
    python and examining the AST to do this, but I think that approach is even
    more complicated.
    > B.
    >
    > On Wed, Aug 09, 2006 at 10:23:49AM -0400, Brendon Towle wrote:
    >
    > Slawomir Nowaczyk noted:
    > #> Heck, whenever *is* it OK to use eval() then?
    > eval is like optimisation. There are two rules:
    > Rule 1: Do not use it.
    > Rule 2 (for experts only): Do not use it (yet).
    > So, that brings up a question I have. I have some code that goes
    > out to a
    > website, grabs stock data, and sends out some reports based on the
    > data.
    > Turns out that the website in question stores its data in the
    > format of a
    > Python list
    > ([1][1]http://quotes.nasdaq.com/quote.dll?page=nasdaq100, search
    > the source for "var table_body"). So, the part of my code that
    > extracts
    > the data looks something like this:
    > START_MARKER = 'var table_body = '
    > END_MARKER = '];'
    > def extractStockData(data):
    > pos1 = data.find(START_MARKER)
    > pos2 = data.find(END_MARKER, pos1)
    > return eval(data[pos1+len(START_MARKER):END_MARKER])
    > (I may have an off-by-one error in there somewhere -- this is from
    > memory,
    > and the code actually works.)
    > My question is: what's the safe way to do this?
    > B.
    > --
    > Brendon Towle, PhD
    > Cognitive Scientist
    > +1-412-690-2442x127
    > Carnegie Learning, Inc.
    > The Cognitive Tutor Company ®
    > Helping over 375,000 students in 1000 school districts succeed in
    > math.
    > References
    > Visible links
    > 1. [2]http://quotes.nasdaq.com/quote.dll?page=nasdaq100
    >
    > --
    > [3]http://mail.python.org/mailman/listinfo/python-list
    >
    > --
    > Brendon Towle, PhD
    > Cognitive Scientist
    > +1-412-690-2442x127
    > Carnegie Learning, Inc.
    > The Cognitive Tutor Company ®
    > Helping over 375,000 students in 1000 school districts succeed in math.
    >
    > References
    >
    > Visible links
    > 1. http://quotes.nasdaq.com/quote.dll?page=nasdaq100
    > 2. http://quotes.nasdaq.com/quote.dll?page=nasdaq100
    > 3. http://mail.python.org/mailman/listinfo/python-list
     
    Chris Lambacher, Aug 9, 2006
    #1
    1. Advertising

  2. Chris Lambacher

    gene tani Guest

    Chris Lambacher wrote:
    > On Wed, Aug 09, 2006 at 11:51:19AM -0400, Brendon Towle wrote:
    > I don't disagree with you. The problem is that the obvious way to do it
    > (eval) is a big security hole. In this case you are trusting that no one
    > inserts themselves between you and the website providing you with code to
    > EXECUTE. I have heard of people attempting to use the parser provided with
    > python and examining the AST to do this, but I think that approach is even
    > more complicated.


    here's some things about sandboxing python:

    http://svn.python.org/view/python/branches/bcannon-sandboxing/securing_python.txt?rev=50717&view=log
    http://sayspy.blogspot.com/2006/07/still-working-on-security.html
     
    gene tani, Aug 9, 2006
    #2
    1. Advertising

  3. Chris Lambacher

    Simon Forman Guest

    Chris Lambacher wrote:
    > On Wed, Aug 09, 2006 at 11:51:19AM -0400, Brendon Towle wrote:
    > > On 9 Aug 2006, at 11:04 AM, Chris Lambacher wrote:
    > >
    > > How is your data stored? (site was not loading for me).
    > >
    > > In the original source HTML, it's like this (I've deleted all but the
    > > beginning and the end of the list for clarity):
    > > var table_body = [
    > > ["ATVI", "Activision, Inc.",12.75,0.150000,1.19,2013762,0.04,"N","N"]
    > > ,["YHOO", "Yahoo! Inc.",27.7,0.260000,0.95,6348884,0.21,"N","N"]
    > > ];

    > I didn't realize it was javascript syntax, a json implimentation would
    > probably work for you: http://cheeseshop.python.org/pypi/simplejson
    >
    > >
    > > More sophisiticated situations (like nested lists) may require something
    > > like pyparsing.
    > >
    > > I could do that, or I could do something like the re.* trick mentioned by
    > > another poster. But, doesn't it offend anyone else that the only clean way
    > > to access functionality that's already in Python is to write long
    > > complicated Python code? Python already knows how to extract a list object
    > > from a string; why should I have to rewrite that?

    > I don't disagree with you. The problem is that the obvious way to do it
    > (eval) is a big security hole. In this case you are trusting that no one
    > inserts themselves between you and the website providing you with code to
    > EXECUTE. I have heard of people attempting to use the parser provided with
    > python and examining the AST to do this, but I think that approach is even
    > more complicated.
    > > B.
    > >
    > > On Wed, Aug 09, 2006 at 10:23:49AM -0400, Brendon Towle wrote:
    > >
    > > Slawomir Nowaczyk noted:
    > > #> Heck, whenever *is* it OK to use eval() then?
    > > eval is like optimisation. There are two rules:
    > > Rule 1: Do not use it.
    > > Rule 2 (for experts only): Do not use it (yet).
    > > So, that brings up a question I have. I have some code that goes
    > > out to a
    > > website, grabs stock data, and sends out some reports based on the
    > > data.
    > > Turns out that the website in question stores its data in the
    > > format of a
    > > Python list
    > > ([1][1]http://quotes.nasdaq.com/quote.dll?page=nasdaq100, search
    > > the source for "var table_body"). So, the part of my code that
    > > extracts
    > > the data looks something like this:
    > > START_MARKER = 'var table_body = '
    > > END_MARKER = '];'
    > > def extractStockData(data):
    > > pos1 = data.find(START_MARKER)
    > > pos2 = data.find(END_MARKER, pos1)
    > > return eval(data[pos1+len(START_MARKER):END_MARKER])
    > > (I may have an off-by-one error in there somewhere -- this is from
    > > memory,
    > > and the code actually works.)
    > > My question is: what's the safe way to do this?
    > > B.
    > > --
    > > Brendon Towle, PhD
    > > Cognitive Scientist
    > > +1-412-690-2442x127
    > > Carnegie Learning, Inc.
    > > The Cognitive Tutor Company ®
    > > Helping over 375,000 students in 1000 school districts succeed in
    > > math.
    > > References
    > > Visible links
    > > 1. [2]http://quotes.nasdaq.com/quote.dll?page=nasdaq100
    > >
    > > --
    > > [3]http://mail.python.org/mailman/listinfo/python-list
    > >
    > > --
    > > Brendon Towle, PhD
    > > Cognitive Scientist
    > > +1-412-690-2442x127
    > > Carnegie Learning, Inc.
    > > The Cognitive Tutor Company ®
    > > Helping over 375,000 students in 1000 school districts succeed in math.
    > >
    > > References
    > >
    > > Visible links
    > > 1. http://quotes.nasdaq.com/quote.dll?page=nasdaq100
    > > 2. http://quotes.nasdaq.com/quote.dll?page=nasdaq100
    > > 3. http://mail.python.org/mailman/listinfo/python-list


    Fredrik Lundh posted a great piece of code to parse a subset of python
    safely:

    http://groups.google.ca/group/comp.lang.python/browse_frm/thread/8e427c5e6da35c/a34397ba74892b4e

    Peace,
    ~Simon
     
    Simon Forman, Aug 9, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. popov
    Replies:
    3
    Views:
    532
    John McLaughlin
    Jan 23, 2004
  2. Ron Stephens
    Replies:
    23
    Views:
    2,855
    Ron Stephens
    Apr 12, 2004
  3. DaveInSidney
    Replies:
    0
    Views:
    421
    DaveInSidney
    May 9, 2005
  4. heavydada
    Replies:
    3
    Views:
    293
    Jordan Greenberg
    Aug 7, 2006
  5. Delaney, Timothy (Tim)

    RE: Question about using python as a scripting language

    Delaney, Timothy (Tim), Aug 7, 2006, in forum: Python
    Replies:
    7
    Views:
    347
    Wildemar Wildenburger
    Aug 10, 2006
Loading...

Share This Page