RE: Question about using python as a scripting language

Discussion in 'Python' started by Delaney, Timothy (Tim), Aug 7, 2006.

  1. Steve Lianoglou wrote:

    > One thing you could do is use the eval or compile methods. These
    > functions let you run arbitray code passed into them as a string.
    >
    > So, for instance, you can write:
    > my_list = eval('[1,2,3,4]')


    This is just asking for trouble.

    my_list = eval('import shutil; shutil.rmtree('/')')

    Terry's approach is much better. Another alternative is to create a
    dictionary mapping an action name to a function. Basically the same as
    Terry's solution, but the dictionary lookup is explicit (as opposed to
    being hidden as method names).

    Tim Delaney
     
    Delaney, Timothy (Tim), Aug 7, 2006
    #1
    1. Advertising

  2. Delaney, Timothy (Tim) wrote:
    > This is just asking for trouble.
    >
    > my_list = eval('import shutil; shutil.rmtree('/')')


    Hah .. wow.

    And in related news: you still shouldn't be taking candy from
    strangers.

    Point well taken. Thanks for flagging that one.

    -steve
     
    Steve Lianoglou, Aug 7, 2006
    #2
    1. Advertising

  3. Steve Lianoglou wrote:
    > Delaney, Timothy (Tim) wrote:
    >> This is just asking for trouble.
    >>
    >> my_list = eval('import shutil; shutil.rmtree('/')')

    >
    > Hah .. wow.
    >
    > And in related news: you still shouldn't be taking candy from
    > strangers.
    >
    > Point well taken. Thanks for flagging that one.


    Heck, whenever *is* it OK to use eval() then?

    ?-\
    wildemar
     
    Wildemar Wildenburger, Aug 8, 2006
    #3
  4. On Tue, 08 Aug 2006 14:32:32 +0200
    Wildemar Wildenburger <> wrote:

    #> Steve Lianoglou wrote:
    #> > Delaney, Timothy (Tim) wrote:
    #> >> This is just asking for trouble.
    #> >>
    #> >> my_list = eval('import shutil; shutil.rmtree('/')')
    #> >
    #> > Hah .. wow.
    #> >
    #> > And in related news: you still shouldn't be taking candy from
    #> > strangers.
    #> >
    #> > Point well taken. Thanks for flagging that one.
    #>
    #> Heck, whenever *is* it OK to use eval() then?

    eval is like optimisation. There are two rules:

    Rule 1: Do not use it.
    Rule 2 (for experts only): Do not use it (yet).

    :)

    --
    Best wishes,
    Slawomir Nowaczyk
    ( )

    The good people sleep much better at night than the bad people. Of course,
    the bad people enjoy the waking hours much more.
     
    Slawomir Nowaczyk, Aug 9, 2006
    #4
  5. Delaney, Timothy (Tim)

    Guest

    Wildemar> Heck, whenever *is* it OK to use eval() then?

    When you're sure of the validity of the string you are feeding it.
    Unfortunately, the more you know about the string (and thus how valid it is
    in your current context), the less you need eval. For example, if I know a
    string s only contains digits and I want an integer out of the result, I can
    avoid eval() by calling int(s). Even if I don't know for sure that it's a
    string of digits I'm still better off calling int() and trapping any
    exceptions:

    try:
    n = int(s)
    except ValueError:
    print "hmmm...", repr(s), "doesn't look like an integer to me."

    Skip
     
    , Aug 9, 2006
    #5
  6. Delaney, Timothy (Tim)

    Carl Banks Guest

    Wildemar Wildenburger wrote:
    > Steve Lianoglou wrote:
    > > Delaney, Timothy (Tim) wrote:
    > >> This is just asking for trouble.
    > >>
    > >> my_list = eval('import shutil; shutil.rmtree('/')')

    > >
    > > Hah .. wow.
    > >
    > > And in related news: you still shouldn't be taking candy from
    > > strangers.
    > >
    > > Point well taken. Thanks for flagging that one.

    >
    > Heck, whenever *is* it OK to use eval() then?


    1. When you deliberately want to give the user power to run Python
    code. (For example, I've written an HTML generator--who hasn't--that
    uses eval and exec to expand in-line Python code. Perfectly ok as long
    as you don't let untrusted users run the program.)

    2. When you construct Python code within your program using no
    untrusted data


    Carl Banks
     
    Carl Banks, Aug 9, 2006
    #6
  7. Delaney, Timothy (Tim)

    Carl Banks Guest

    Delaney, Timothy (Tim) wrote:
    > Steve Lianoglou wrote:
    >
    > > One thing you could do is use the eval or compile methods. These
    > > functions let you run arbitray code passed into them as a string.
    > >
    > > So, for instance, you can write:
    > > my_list = eval('[1,2,3,4]')

    >
    > This is just asking for trouble.
    >
    > my_list = eval('import shutil; shutil.rmtree('/')')


    Fortunately, that won't work because eval expects an expression.
    Unfortunately, this will:

    my_list = eval('__import__("shutil").rmtree("/")')


    Carl Banks
     
    Carl Banks, Aug 9, 2006
    #7
  8. Carl Banks wrote:
    > Wildemar Wildenburger wrote:
    >> Heck, whenever *is* it OK to use eval() then?

    >
    > 2. When you construct Python code within your program using no
    > untrusted data


    Ok, I had never even thought of that. Makes me itch to try it right now :).

    wildemar
     
    Wildemar Wildenburger, Aug 10, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. popov
    Replies:
    3
    Views:
    554
    John McLaughlin
    Jan 23, 2004
  2. Ron Stephens
    Replies:
    23
    Views:
    2,981
    Ron Stephens
    Apr 12, 2004
  3. DaveInSidney
    Replies:
    0
    Views:
    447
    DaveInSidney
    May 9, 2005
  4. heavydada
    Replies:
    3
    Views:
    300
    Jordan Greenberg
    Aug 7, 2006
  5. Chris Lambacher
    Replies:
    2
    Views:
    331
    Simon Forman
    Aug 9, 2006
Loading...

Share This Page