2012/10/11 Vinay Sajip <vinay_sa...@yahoo.co.uk>: > In response to http://bugs.python.org/issue15452, I've created an improved > evaluator in the ast module in my sandbox repo. The evaluator supports lookup > of > names in a supplied namespace. The basic interface is > > def lookup_eval(source_string_or_ast_node, namespace, allow_imports=False): > # perform limited evaluation of Python expressions > > Function calls are not allowed in expressions, but the following are: > > * Names (looked up in namespace, and imported if not found there and > allow_imports is True) > * Literals, just as literal_eval() does > * Array indexing and slicing > * Attribute access > * Arithmetic operators > * Bitwise operators > * Comparison operators > * in / not in > * and / or > * Unary operators
With this operations, you can still cause a lot of trouble. > > The patch is attached to the issue, and includes changes to replace the use > of eval() by logging.config.fileConfig() to use ast.lookup_eval(). > > I would welcome review of the patch, particularly as there may be security > implications (the issue is titled "Improve the security model for logging > listener"). What exactly are you trying to prevent? -- Regards, Benjamin _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
