On Thu, Oct 18, 2012 at 5:41 PM, Georg Brandl <g.bra...@gmx.net> wrote: > On 10/18/2012 03:16 PM, Daniel Holth wrote: >> On Thu, Oct 11, 2012 at 1:36 PM, Vinay Sajip <vinay_sa...@yahoo.co.uk> wrote: >>> Daniel Holth <dholth <at> gmail.com> writes: >>> >>>> How does this compare to the markerlib approach? In markerlib you just >>>> make sure all the AST nodes are in a set of allowed nodes, currently >>>> (Compare, BoolOp, Attribute, Name, Load, Str, cmpop, boolop), and then >>>> use the normal eval(). Is one way more secure / fast / flexible than >>>> the other? >>> >>> I don't think performance is an issue, and the markerlib approach seems just >>> as reasonable as the one I've taken, except that it calls eval(), whereas my >>> approach doesn't. It boils down to what should be allowed in expressions, >>> and >>> what shouldn't be.
I'm not sure if this is pertinent to the safe eval discussion, but currently it's possible to make python crash with a segfault even by just *parsing* an expression. See http://bugs.python.org/issue5765 Andrea _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
