[sage-support] Re: eval(string)
Can't get [4]*(130)] to work with sage: s = 1,2,3,4,100 sage: [ZZ(x) for x in s.split(',')] [1, 2, 3, 4, 100] I am using a try/exception on the input from the field in the form. If one puts any strange string it shows an error. Robert did you see my post for help with my API? On Sep 14, 7:59 pm, Robert Bradshaw rober...@math.washington.edu wrote: On Sep 14, 2009, at 12:09 PM, Mikie wrote: Robert, Can I use your technique above to input this string? The [5]*3 gives me a problem L1=[3,10,15,23,25,30,3,[5]*3] You can, but here you're getting to the point where you're allowing arbitrary input, not just a list of integers. What about [1, 2, 3, [4]*(130)]? How much memory do you have on your machine? - Robert On Sep 10, 1:56 pm, Robert Bradshaw rober...@math.washington.edu wrote: On Sep 10, 2009, at 12:24 PM, Robert Bradshaw wrote: On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote: `eval(the_string, globals = {__builtins__:None}, locals = {})` should do it. This removes access from all functions. Add any functions that are needed by adding them to the locals dictionary. As stated in:http://stackoverflow.com/questions/661084/security-of- pythons-eval-on-untrusted-strings andhttp://lybniz2.sourceforge.net/safeeval.html Wow, this works, though for much deeper reasons than those given above. sage: [].__class__.__subclasses__() [2].is_mutable.__func__.__globals__ ['__builtins__'] {'ArithmeticError': type 'exceptions.ArithmeticError', ... 'zip': built-in function zip} sage: eval([].__class__.__subclasses__() [2].is_mutable.__func__.__globals__['__builtins__'], {__builtins__:None}, {}) Traceback (most recent call last): File ipython console, line 1, in module File string, line 1, in module RuntimeError: restricted attribute Even sage: eval([].__class__.__subclasses__()[2]([]).save('foo.txt'), {__builtins__: None}, {}) Traceback (most recent call last): File ipython console, line 1, in module File string, line 1, in module File sage_object.pyx, line 150, in sage.structure.sage_object.SageObject.save (sage/structure/ sage_object.c:1894) IOError: file() constructor not accessible in restricted mode In short, if globals()['__builtins__'] != __builtins__ it runs in Restricted mode which disallows certain introspections and other operations. I don't know that it's bullet proof, but it looks pretty solid. A little googling yielded http://www.dalkescientific.com/writings/diary/archive/2008/03/03/ restricted_python.html which is one (of who knows how many) holes in restricted mode. - Robert- Hide quoted text - - Show quoted text -- Hide quoted text - - Show quoted text - --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---
[sage-support] Re: eval(string)
Robert, Can I use your technique above to input this string? The [5]*3 gives me a problem L1=[3,10,15,23,25,30,3,[5]*3] On Sep 10, 1:56 pm, Robert Bradshaw rober...@math.washington.edu wrote: On Sep 10, 2009, at 12:24 PM, Robert Bradshaw wrote: On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote: `eval(the_string, globals = {__builtins__:None}, locals = {})` should do it. This removes access from all functions. Add any functions that are needed by adding them to the locals dictionary. As stated in:http://stackoverflow.com/questions/661084/security-of- pythons-eval-on-untrusted-strings andhttp://lybniz2.sourceforge.net/safeeval.html Wow, this works, though for much deeper reasons than those given above. sage: [].__class__.__subclasses__()[2].is_mutable.__func__.__globals__ ['__builtins__'] {'ArithmeticError': type 'exceptions.ArithmeticError', ... 'zip': built-in function zip} sage: eval([].__class__.__subclasses__() [2].is_mutable.__func__.__globals__['__builtins__'], {__builtins__:None}, {}) Traceback (most recent call last): File ipython console, line 1, in module File string, line 1, in module RuntimeError: restricted attribute Even sage: eval([].__class__.__subclasses__()[2]([]).save('foo.txt'), {__builtins__: None}, {}) Traceback (most recent call last): File ipython console, line 1, in module File string, line 1, in module File sage_object.pyx, line 150, in sage.structure.sage_object.SageObject.save (sage/structure/ sage_object.c:1894) IOError: file() constructor not accessible in restricted mode In short, if globals()['__builtins__'] != __builtins__ it runs in Restricted mode which disallows certain introspections and other operations. I don't know that it's bullet proof, but it looks pretty solid. A little googling yielded http://www.dalkescientific.com/writings/diary/archive/2008/03/03/ restricted_python.html which is one (of who knows how many) holes in restricted mode. - Robert- Hide quoted text - - Show quoted text - --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---
[sage-support] Re: eval(string)
On Sep 14, 2009, at 12:09 PM, Mikie wrote: Robert, Can I use your technique above to input this string? The [5]*3 gives me a problem L1=[3,10,15,23,25,30,3,[5]*3] You can, but here you're getting to the point where you're allowing arbitrary input, not just a list of integers. What about [1, 2, 3, [4]*(130)]? How much memory do you have on your machine? - Robert On Sep 10, 1:56 pm, Robert Bradshaw rober...@math.washington.edu wrote: On Sep 10, 2009, at 12:24 PM, Robert Bradshaw wrote: On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote: `eval(the_string, globals = {__builtins__:None}, locals = {})` should do it. This removes access from all functions. Add any functions that are needed by adding them to the locals dictionary. As stated in:http://stackoverflow.com/questions/661084/security-of- pythons-eval-on-untrusted-strings andhttp://lybniz2.sourceforge.net/safeeval.html Wow, this works, though for much deeper reasons than those given above. sage: [].__class__.__subclasses__() [2].is_mutable.__func__.__globals__ ['__builtins__'] {'ArithmeticError': type 'exceptions.ArithmeticError', ... 'zip': built-in function zip} sage: eval([].__class__.__subclasses__() [2].is_mutable.__func__.__globals__['__builtins__'], {__builtins__:None}, {}) Traceback (most recent call last): File ipython console, line 1, in module File string, line 1, in module RuntimeError: restricted attribute Even sage: eval([].__class__.__subclasses__()[2]([]).save('foo.txt'), {__builtins__: None}, {}) Traceback (most recent call last): File ipython console, line 1, in module File string, line 1, in module File sage_object.pyx, line 150, in sage.structure.sage_object.SageObject.save (sage/structure/ sage_object.c:1894) IOError: file() constructor not accessible in restricted mode In short, if globals()['__builtins__'] != __builtins__ it runs in Restricted mode which disallows certain introspections and other operations. I don't know that it's bullet proof, but it looks pretty solid. A little googling yielded http://www.dalkescientific.com/writings/diary/archive/2008/03/03/ restricted_python.html which is one (of who knows how many) holes in restricted mode. - Robert- Hide quoted text - - Show quoted text - --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---
[sage-support] Re: eval(string)
On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote: `eval(the_string, globals = {__builtins__:None}, locals = {})` should do it. This removes access from all functions. Add any functions that are needed by adding them to the locals dictionary. As stated in: http://stackoverflow.com/questions/661084/security-of- pythons-eval-on-untrusted-strings and http://lybniz2.sourceforge.net/safeeval.html Wow, this works, though for much deeper reasons than those given above. sage: [].__class__.__subclasses__()[2].is_mutable.__func__.__globals__ ['__builtins__'] {'ArithmeticError': type 'exceptions.ArithmeticError', ... 'zip': built-in function zip} sage: eval([].__class__.__subclasses__() [2].is_mutable.__func__.__globals__['__builtins__'], {__builtins__:None}, {}) Traceback (most recent call last): File ipython console, line 1, in module File string, line 1, in module RuntimeError: restricted attribute Even sage: eval([].__class__.__subclasses__()[2]([]).save('foo.txt'), {__builtins__: None}, {}) Traceback (most recent call last): File ipython console, line 1, in module File string, line 1, in module File sage_object.pyx, line 150, in sage.structure.sage_object.SageObject.save (sage/structure/ sage_object.c:1894) IOError: file() constructor not accessible in restricted mode In short, if globals()['__builtins__'] != __builtins__ it runs in Restricted mode which disallows certain introspections and other operations. I don't know that it's bullet proof, but it looks pretty solid. - Robert On Sep 9, 11:50 pm, Mikie thephantom6...@hotmail.com wrote: I need to be able to input a string like this --- L1=[3,10,15,23,25,30,3,[5]*3] Need the repeated values for the 5. If I don't have repeated values your code works. I have done some error traping for eval. Users can not put something like rm. On Sep 8, 2:38 pm, Robert Bradshaw rober...@math.washington.edu wrote: On Sep 8, 2009, at 11:28 AM, Mikie wrote: Here is the function --- def BasicStats1a(exp1): v = exp1 v1 = eval(v);Count_=len(v1) sort_v1=sorted(v1) M1 =stats.mode(v1); v3=eval(str(M1[0])); v4=eval(str(M1[1])) R1 = stats.mean(v1);R2 = stats.median(v1) R3 = stats.std(v1) var_=R3**2 return R1,R2,R3,Count_,sort_v1,var_,v3,v4 You can see the eval's. Is there a security problem with sage_eval? Yes. The string comes from a form. You should look up string processing in Python, I think that would help a lot in much of what you're trying to do here. For example, sage: s = 1,2,3,4,100 sage: [ZZ(x) for x in s.split(',')] [1, 2, 3, 4, 100] This is fast, safe, and more clear than the above. - Robert --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---
[sage-support] Re: eval(string)
On Sep 10, 2009, at 12:24 PM, Robert Bradshaw wrote: On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote: `eval(the_string, globals = {__builtins__:None}, locals = {})` should do it. This removes access from all functions. Add any functions that are needed by adding them to the locals dictionary. As stated in: http://stackoverflow.com/questions/661084/security-of- pythons-eval-on-untrusted-strings and http://lybniz2.sourceforge.net/safeeval.html Wow, this works, though for much deeper reasons than those given above. sage: [].__class__.__subclasses__()[2].is_mutable.__func__.__globals__ ['__builtins__'] {'ArithmeticError': type 'exceptions.ArithmeticError', ... 'zip': built-in function zip} sage: eval([].__class__.__subclasses__() [2].is_mutable.__func__.__globals__['__builtins__'], {__builtins__:None}, {}) Traceback (most recent call last): File ipython console, line 1, in module File string, line 1, in module RuntimeError: restricted attribute Even sage: eval([].__class__.__subclasses__()[2]([]).save('foo.txt'), {__builtins__: None}, {}) Traceback (most recent call last): File ipython console, line 1, in module File string, line 1, in module File sage_object.pyx, line 150, in sage.structure.sage_object.SageObject.save (sage/structure/ sage_object.c:1894) IOError: file() constructor not accessible in restricted mode In short, if globals()['__builtins__'] != __builtins__ it runs in Restricted mode which disallows certain introspections and other operations. I don't know that it's bullet proof, but it looks pretty solid. A little googling yielded http://www.dalkescientific.com/writings/diary/archive/2008/03/03/ restricted_python.html which is one (of who knows how many) holes in restricted mode. - Robert --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---
[sage-support] Re: eval(string)
I need to be able to input a string like this --- L1=[3,10,15,23,25,30,3,[5]*3] Need the repeated values for the 5. If I don't have repeated values your code works. I have done some error traping for eval. Users can not put something like rm. On Sep 8, 2:38 pm, Robert Bradshaw rober...@math.washington.edu wrote: On Sep 8, 2009, at 11:28 AM, Mikie wrote: Here is the function --- def BasicStats1a(exp1): v = exp1 v1 = eval(v);Count_=len(v1) sort_v1=sorted(v1) M1 =stats.mode(v1); v3=eval(str(M1[0])); v4=eval(str(M1[1])) R1 = stats.mean(v1);R2 = stats.median(v1) R3 = stats.std(v1) var_=R3**2 return R1,R2,R3,Count_,sort_v1,var_,v3,v4 You can see the eval's. Is there a security problem with sage_eval? Yes. The string comes from a form. You should look up string processing in Python, I think that would help a lot in much of what you're trying to do here. For example, sage: s = 1,2,3,4,100 sage: [ZZ(x) for x in s.split(',')] [1, 2, 3, 4, 100] This is fast, safe, and more clear than the above. - Robert --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---
[sage-support] Re: eval(string)
`eval(the_string, globals = {__builtins__:None}, locals = {})` should do it. This removes access from all functions. Add any functions that are needed by adding them to the locals dictionary. As stated in: http://stackoverflow.com/questions/661084/security-of-pythons-eval-on-untrusted-strings and http://lybniz2.sourceforge.net/safeeval.html On Sep 9, 11:50 pm, Mikie thephantom6...@hotmail.com wrote: I need to be able to input a string like this --- L1=[3,10,15,23,25,30,3,[5]*3] Need the repeated values for the 5. If I don't have repeated values your code works. I have done some error traping for eval. Users can not put something like rm. On Sep 8, 2:38 pm, Robert Bradshaw rober...@math.washington.edu wrote: On Sep 8, 2009, at 11:28 AM, Mikie wrote: Here is the function --- def BasicStats1a(exp1): v = exp1 v1 = eval(v);Count_=len(v1) sort_v1=sorted(v1) M1 =stats.mode(v1); v3=eval(str(M1[0])); v4=eval(str(M1[1])) R1 = stats.mean(v1);R2 = stats.median(v1) R3 = stats.std(v1) var_=R3**2 return R1,R2,R3,Count_,sort_v1,var_,v3,v4 You can see the eval's. Is there a security problem with sage_eval? Yes. The string comes from a form. You should look up string processing in Python, I think that would help a lot in much of what you're trying to do here. For example, sage: s = 1,2,3,4,100 sage: [ZZ(x) for x in s.split(',')] [1, 2, 3, 4, 100] This is fast, safe, and more clear than the above. - Robert --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---
[sage-support] Re: eval(string)
Can you please elaborate, what kind of list it is? Post an example, tell us what web form it is (if necessary) and what do you want to do with it? Besides eval, there is also sage_eval. H On Sep 8, 7:01 pm, Mikie thephantom6...@hotmail.com wrote: I am taking a string that is a list. It is coming from a html form. Is there anyway other than eval to get the value from the list? When I take a single value from the form I use SR and it works, but no luck with the list. Thanx --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---
[sage-support] Re: eval(string)
Here is the function --- def BasicStats1a(exp1): v = exp1 v1 = eval(v);Count_=len(v1) sort_v1=sorted(v1) M1 =stats.mode(v1); v3=eval(str(M1[0])); v4=eval(str(M1[1])) R1 = stats.mean(v1);R2 = stats.median(v1) R3 = stats.std(v1) var_=R3**2 return R1,R2,R3,Count_,sort_v1,var_,v3,v4 You can see the eval's. Is there a security problem with sage_eval? The string comes from a form. On Sep 8, 11:29 am, Harald Schilly harald.schi...@gmail.com wrote: Can you please elaborate, what kind of list it is? Post an example, tell us what web form it is (if necessary) and what do you want to do with it? Besides eval, there is also sage_eval. H On Sep 8, 7:01 pm, Mikie thephantom6...@hotmail.com wrote: I am taking a string that is a list. It is coming from a html form. Is there anyway other than eval to get the value from the list? When I take a single value from the form I use SR and it works, but no luck with the list. Thanx- Hide quoted text - - Show quoted text - --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---
[sage-support] Re: eval(string)
On Sep 8, 2009, at 11:28 AM, Mikie wrote: Here is the function --- def BasicStats1a(exp1): v = exp1 v1 = eval(v);Count_=len(v1) sort_v1=sorted(v1) M1 =stats.mode(v1); v3=eval(str(M1[0])); v4=eval(str(M1[1])) R1 = stats.mean(v1);R2 = stats.median(v1) R3 = stats.std(v1) var_=R3**2 return R1,R2,R3,Count_,sort_v1,var_,v3,v4 You can see the eval's. Is there a security problem with sage_eval? Yes. The string comes from a form. You should look up string processing in Python, I think that would help a lot in much of what you're trying to do here. For example, sage: s = 1,2,3,4,100 sage: [ZZ(x) for x in s.split(',')] [1, 2, 3, 4, 100] This is fast, safe, and more clear than the above. - Robert --~--~-~--~~~---~--~~ To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URLs: http://www.sagemath.org -~--~~~~--~~--~--~---