Michael Spencer wrote:
In fact, I believe my solution to be totally safe,
That's a bold claim! I'll readily concede that I can't access func_globals from restricted mode eval (others may know better). But your interpreter is still be vulnerable to DOS-style attack from rogue calculations or quasi-infinite loops.
Yes, but I don't see your manually-rolled-up expression calculator being DOS-safe. I believe DOS attacks to be a problem whenever you want to calculate the result of an expression taken from the outside. What I was trying to show is that my simple one-liner is no worse than a multi-page full-blown expression parser and interpreter.
Fair point that brevity is itself valuable in achieving security. It isn't worth using my "manually-rolled-up expression calculator" simply to deny access to func_globals as you have demonstrated.
However, the advantage of the MRUEP is that every operation is evaluated individually. In the example I showed, loops are disabled, attribute access is disabled. Numeric inputs and intermediate results can be checked easily for boundedness (though they are not in the example I gave). This sort of fine-grain control is very much harder to do with a straight eval model.
Cheers
Michael
-- http://mail.python.org/mailman/listinfo/python-list
