Asp Forum - Re: Use eval() safely?

Jonathan Gardner

2/22/2010 7:45:00 PM

On Sun, Feb 21, 2010 at 1:25 PM, W. Martin Borgert <debacle@debian.org> wrote:
>
> I know that this issue has been discussed before, but most of
> the time using only one argument to eval().
>
> Is it possible to use the following code, e.g. run as part of a
> web application, to break in and if so, how?
>
> import math
>
> def myeval(untrustedinput):
> return eval(untrustedinput, {"__builtins__": None},
> { "abs": abs, "sin": math.sin })
>
> Is it possible to define functions or import modules from the
> untrusted input string?
>
> Which Python built-ins and math functions would I have to add to
> the functions dictionary to make it unsafe?
>

Why would you ever run untrusted code on any machine in any language,
let alone Python?

If you're writing a web app, make it so that you only run trusted
code. That is, code installed by the admin, or approved by the admin.

--
Jonathan Gardner
jgardner@jonathangardner.net

1 Answer

Steven D'Aprano

2/23/2010 7:09:00 AM

On Mon, 22 Feb 2010 11:45:10 -0800, Jonathan Gardner wrote:

> Why would you ever run untrusted code on any machine in any language,
> let alone Python?

Because sometimes you have to run untrusted code, so you want to run it
in a sandbox so it can't eat your machine.

E.g. viewing PDF files.

Or you might be building an app that allows the user to enter code and
execute it:

http://tr...

> If you're writing a web app, make it so that you only run trusted code.
> That is, code installed by the admin, or approved by the admin.

But do you trust the admin? Do you think your admin has audited the
entire tool chain of every application, library and operating system
module in your system?

--
Steven

comp.lang.python

Re: Use eval() safely?

Jonathan Gardner

Steven D'Aprano

x Login to ForumsZone