On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote:
> `eval(the_string, globals = {"__builtins__":None}, locals = {})`
> should do it. This removes access from all functions. Add any
> functions that are needed by adding them to the "locals" dictionary.
>
> As stated in: http://stackoverflow.com/questions/661084/security-of-
> pythons-eval-on-untrusted-strings
> and http://lybniz2.sourceforge.net/safeeval.html
Wow, this works, though for much deeper reasons than those given above.
sage: [].__class__.__subclasses__()[2].is_mutable.__func__.__globals__
['__builtins__']
{'ArithmeticError': <type 'exceptions.ArithmeticError'>,
...
'zip': <built-in function zip>}
sage: eval("[].__class__.__subclasses__()
[2].is_mutable.__func__.__globals__['__builtins__']",
{"__builtins__":None}, {})
------------------------------------------------------------
Traceback (most recent call last):
File "<ipython console>", line 1, in <module>
File "<string>", line 1, in <module>
RuntimeError: restricted attribute
Even
sage: eval("[].__class__.__subclasses__()[2]([]).save('foo.txt')",
{"__builtins__": None}, {})
------------------------------------------------------------
Traceback (most recent call last):
File "<ipython console>", line 1, in <module>
File "<string>", line 1, in <module>
File "sage_object.pyx", line 150, in
sage.structure.sage_object.SageObject.save (sage/structure/
sage_object.c:1894)
IOError: file() constructor not accessible in restricted mode
In short, if globals()['__builtins__'] != __builtins__ it runs in
"Restricted mode" which disallows certain introspections and other
operations. I don't know that it's bullet proof, but it looks pretty
solid.
- Robert
>
> On Sep 9, 11:50 pm, Mikie <[email protected]> wrote:
>> I need to be able to input a string like this ---
>> L1="[3,10,15,23,25,30,3,[5]*3]"
>> Need the repeated values for the 5. If I don't have repeated values
>> your code works.
>> I have done some error traping for "eval". Users can not put
>> something like "rm".
>>
>> On Sep 8, 2:38 pm, Robert Bradshaw <[email protected]>
>> wrote:
>>
>>> On Sep 8, 2009, at 11:28 AM, Mikie wrote:
>>
>>>> Here is the function
>>>> -------------------------------
>>>> def BasicStats1a(exp1):
>>>> v = exp1
>>>> v1 = eval(v);Count_=len(v1)
>>>> sort_v1=sorted(v1)
>>>> M1 =stats.mode(v1); v3=eval(str(M1[0])); v4=eval(str(M1[1]))
>>>> R1 = stats.mean(v1);R2 = stats.median(v1)
>>>> R3 = stats.std(v1)
>>>> var_=R3**2
>>>> return R1,R2,R3,Count_,sort_v1,var_,v3,v4
>>>> ------------------------------------------------------------
>>>> You can see the eval's. Is there a security problem with
>>>> sage_eval?
>>
>>> Yes.
>>
>>>> The string comes from a form.
>>
>>> You should look up string processing in Python, I think that would
>>> help a lot in much of what you're trying to do here. For example,
>>
>>> sage: s = "1,2,3,4,100"
>>> sage: [ZZ(x) for x in s.split(',')]
>>> [1, 2, 3, 4, 100]
>>
>>> This is fast, safe, and more clear than the above.
>>
>>> - Robert
> >
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~----------~----~----~----~------~----~------~--~---
