In response to http://bugs.python.org/issue15452, I've created an improved evaluator in the ast module in my sandbox repo. The evaluator supports lookup of names in a supplied namespace. The basic interface is
def lookup_eval(source_string_or_ast_node, namespace, allow_imports=False): # perform limited evaluation of Python expressions Function calls are not allowed in expressions, but the following are: * Names (looked up in namespace, and imported if not found there and allow_imports is True) * Literals, just as literal_eval() does * Array indexing and slicing * Attribute access * Arithmetic operators * Bitwise operators * Comparison operators * in / not in * and / or * Unary operators The patch is attached to the issue, and includes changes to replace the use of eval() by logging.config.fileConfig() to use ast.lookup_eval(). I would welcome review of the patch, particularly as there may be security implications (the issue is titled "Improve the security model for logging listener"). Barring objections, I plan to commit it in a week or so. Regards, Vinay Sajip _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
