[sage-support] Re: eval(string)

2009-09-16 Thread Mikie 

Can't get [4]*(130)] to work with sage: s = 1,2,3,4,100
sage: [ZZ(x) for x in s.split(',')]
[1, 2, 3, 4, 100]

I am using a try/exception on the input from the field in the form.
If one puts any strange string it shows an error.

Robert did you see my post for help with my API?

On Sep 14, 7:59 pm, Robert Bradshaw rober...@math.washington.edu
wrote:
 On Sep 14, 2009, at 12:09 PM, Mikie wrote:

  Robert,

  Can I use your technique above to input this string?  The [5]*3
  gives me a problem

  L1=[3,10,15,23,25,30,3,[5]*3]

 You can, but here you're getting to the point where you're allowing  
 arbitrary input, not just a list of integers. What about [1, 2, 3,  
 [4]*(130)]? How much memory do you have on your machine?

 - Robert





  On Sep 10, 1:56 pm, Robert Bradshaw rober...@math.washington.edu
  wrote:
  On Sep 10, 2009, at 12:24 PM, Robert Bradshaw wrote:

  On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote:

  `eval(the_string, globals = {__builtins__:None}, locals = {})`
  should do it. This removes access from all functions. Add any
  functions that are needed by adding them to the locals  
  dictionary.

  As stated in:http://stackoverflow.com/questions/661084/security-of-
  pythons-eval-on-untrusted-strings
  andhttp://lybniz2.sourceforge.net/safeeval.html

  Wow, this works, though for much deeper reasons than those given
  above.

  sage: [].__class__.__subclasses__()
  [2].is_mutable.__func__.__globals__
  ['__builtins__']
  {'ArithmeticError': type 'exceptions.ArithmeticError',
  ...
  'zip': built-in function zip}

  sage: eval([].__class__.__subclasses__()
  [2].is_mutable.__func__.__globals__['__builtins__'],
  {__builtins__:None}, {})
  
  Traceback (most recent call last):
     File ipython console, line 1, in module
     File string, line 1, in module
  RuntimeError: restricted attribute

  Even

  sage: eval([].__class__.__subclasses__()[2]([]).save('foo.txt'),
  {__builtins__: None}, {})
  
  Traceback (most recent call last):
     File ipython console, line 1, in module
     File string, line 1, in module
     File sage_object.pyx, line 150, in
  sage.structure.sage_object.SageObject.save (sage/structure/
  sage_object.c:1894)
  IOError: file() constructor not accessible in restricted mode

  In short, if globals()['__builtins__'] != __builtins__ it runs in
  Restricted mode which disallows certain introspections and other
  operations. I don't know that it's bullet proof, but it looks pretty
  solid.

  A little googling yielded

 http://www.dalkescientific.com/writings/diary/archive/2008/03/03/
  restricted_python.html

  which is one (of who knows how many) holes in restricted mode.

  - Robert- Hide quoted text -

  - Show quoted text -- Hide quoted text -

 - Show quoted text -
--~--~-~--~~~---~--~~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to 
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~--~~~~--~~--~--~---

[sage-support] Re: eval(string)

2009-09-14 Thread Mikie 

Robert,

Can I use your technique above to input this string?  The [5]*3
gives me a problem

L1=[3,10,15,23,25,30,3,[5]*3]


On Sep 10, 1:56 pm, Robert Bradshaw rober...@math.washington.edu
wrote:
 On Sep 10, 2009, at 12:24 PM, Robert Bradshaw wrote:







  On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote:

  `eval(the_string, globals = {__builtins__:None}, locals = {})`
  should do it. This removes access from all functions. Add any
  functions that are needed by adding them to the locals dictionary.

  As stated in:http://stackoverflow.com/questions/661084/security-of-
  pythons-eval-on-untrusted-strings
  andhttp://lybniz2.sourceforge.net/safeeval.html

  Wow, this works, though for much deeper reasons than those given  
  above.

  sage: [].__class__.__subclasses__()[2].is_mutable.__func__.__globals__
  ['__builtins__']
  {'ArithmeticError': type 'exceptions.ArithmeticError',
  ...
  'zip': built-in function zip}

  sage: eval([].__class__.__subclasses__()
  [2].is_mutable.__func__.__globals__['__builtins__'],
  {__builtins__:None}, {})
  
  Traceback (most recent call last):
     File ipython console, line 1, in module
     File string, line 1, in module
  RuntimeError: restricted attribute

  Even

  sage: eval([].__class__.__subclasses__()[2]([]).save('foo.txt'),
  {__builtins__: None}, {})
  
  Traceback (most recent call last):
     File ipython console, line 1, in module
     File string, line 1, in module
     File sage_object.pyx, line 150, in
  sage.structure.sage_object.SageObject.save (sage/structure/
  sage_object.c:1894)
  IOError: file() constructor not accessible in restricted mode

  In short, if globals()['__builtins__'] != __builtins__ it runs in
  Restricted mode which disallows certain introspections and other
  operations. I don't know that it's bullet proof, but it looks pretty
  solid.

 A little googling yielded

 http://www.dalkescientific.com/writings/diary/archive/2008/03/03/
 restricted_python.html

 which is one (of who knows how many) holes in restricted mode.

 - Robert- Hide quoted text -

 - Show quoted text -
--~--~-~--~~~---~--~~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to 
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~--~~~~--~~--~--~---

[sage-support] Re: eval(string)

2009-09-14 Thread Robert Bradshaw 

On Sep 14, 2009, at 12:09 PM, Mikie wrote:

 Robert,

 Can I use your technique above to input this string?  The [5]*3
 gives me a problem

 L1=[3,10,15,23,25,30,3,[5]*3]

You can, but here you're getting to the point where you're allowing  
arbitrary input, not just a list of integers. What about [1, 2, 3,  
[4]*(130)]? How much memory do you have on your machine?

- Robert



 On Sep 10, 1:56 pm, Robert Bradshaw rober...@math.washington.edu
 wrote:
 On Sep 10, 2009, at 12:24 PM, Robert Bradshaw wrote:







 On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote:

 `eval(the_string, globals = {__builtins__:None}, locals = {})`
 should do it. This removes access from all functions. Add any
 functions that are needed by adding them to the locals  
 dictionary.

 As stated in:http://stackoverflow.com/questions/661084/security-of-
 pythons-eval-on-untrusted-strings
 andhttp://lybniz2.sourceforge.net/safeeval.html

 Wow, this works, though for much deeper reasons than those given
 above.

 sage: [].__class__.__subclasses__() 
 [2].is_mutable.__func__.__globals__
 ['__builtins__']
 {'ArithmeticError': type 'exceptions.ArithmeticError',
 ...
 'zip': built-in function zip}

 sage: eval([].__class__.__subclasses__()
 [2].is_mutable.__func__.__globals__['__builtins__'],
 {__builtins__:None}, {})
 
 Traceback (most recent call last):
File ipython console, line 1, in module
File string, line 1, in module
 RuntimeError: restricted attribute

 Even

 sage: eval([].__class__.__subclasses__()[2]([]).save('foo.txt'),
 {__builtins__: None}, {})
 
 Traceback (most recent call last):
File ipython console, line 1, in module
File string, line 1, in module
File sage_object.pyx, line 150, in
 sage.structure.sage_object.SageObject.save (sage/structure/
 sage_object.c:1894)
 IOError: file() constructor not accessible in restricted mode

 In short, if globals()['__builtins__'] != __builtins__ it runs in
 Restricted mode which disallows certain introspections and other
 operations. I don't know that it's bullet proof, but it looks pretty
 solid.

 A little googling yielded

 http://www.dalkescientific.com/writings/diary/archive/2008/03/03/
 restricted_python.html

 which is one (of who knows how many) holes in restricted mode.

 - Robert- Hide quoted text -

 - Show quoted text -
 


--~--~-~--~~~---~--~~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to 
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~--~~~~--~~--~--~---

[sage-support] Re: eval(string)

2009-09-10 Thread Robert Bradshaw 

On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote:

 `eval(the_string, globals = {__builtins__:None}, locals = {})`
 should do it. This removes access from all functions. Add any
 functions that are needed by adding them to the locals dictionary.

 As stated in: http://stackoverflow.com/questions/661084/security-of- 
 pythons-eval-on-untrusted-strings
 and http://lybniz2.sourceforge.net/safeeval.html

Wow, this works, though for much deeper reasons than those given above.

sage: [].__class__.__subclasses__()[2].is_mutable.__func__.__globals__ 
['__builtins__']
{'ArithmeticError': type 'exceptions.ArithmeticError',
...
'zip': built-in function zip}

sage: eval([].__class__.__subclasses__() 
[2].is_mutable.__func__.__globals__['__builtins__'],  
{__builtins__:None}, {})

Traceback (most recent call last):
   File ipython console, line 1, in module
   File string, line 1, in module
RuntimeError: restricted attribute

Even

sage: eval([].__class__.__subclasses__()[2]([]).save('foo.txt'),  
{__builtins__: None}, {})

Traceback (most recent call last):
   File ipython console, line 1, in module
   File string, line 1, in module
   File sage_object.pyx, line 150, in  
sage.structure.sage_object.SageObject.save (sage/structure/ 
sage_object.c:1894)
IOError: file() constructor not accessible in restricted mode

In short, if globals()['__builtins__'] != __builtins__ it runs in  
Restricted mode which disallows certain introspections and other  
operations. I don't know that it's bullet proof, but it looks pretty  
solid.

- Robert



 On Sep 9, 11:50 pm, Mikie thephantom6...@hotmail.com wrote:
 I need to be able to input a string like this ---
 L1=[3,10,15,23,25,30,3,[5]*3]
 Need the repeated values for the 5.  If I don't have repeated values
 your code works.
 I have done some error traping for eval.  Users can not put
 something like rm.

 On Sep 8, 2:38 pm, Robert Bradshaw rober...@math.washington.edu
 wrote:

 On Sep 8, 2009, at 11:28 AM, Mikie wrote:

 Here is the function
 ---
 def BasicStats1a(exp1):
 v = exp1
 v1 = eval(v);Count_=len(v1)
 sort_v1=sorted(v1)
 M1 =stats.mode(v1); v3=eval(str(M1[0])); v4=eval(str(M1[1]))
 R1 = stats.mean(v1);R2 = stats.median(v1)
 R3 = stats.std(v1)
 var_=R3**2
 return R1,R2,R3,Count_,sort_v1,var_,v3,v4
 
 You can see the eval's.  Is there a security problem with  
 sage_eval?

 Yes.

 The string comes from a form.

 You should look up string processing in Python, I think that would
 help a lot in much of what you're trying to do here. For example,

 sage: s = 1,2,3,4,100
 sage: [ZZ(x) for x in s.split(',')]
 [1, 2, 3, 4, 100]

 This is fast, safe, and more clear than the above.

 - Robert
 


--~--~-~--~~~---~--~~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to 
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~--~~~~--~~--~--~---

[sage-support] Re: eval(string)

2009-09-10 Thread Robert Bradshaw 

On Sep 10, 2009, at 12:24 PM, Robert Bradshaw wrote:


 On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote:

 `eval(the_string, globals = {__builtins__:None}, locals = {})`
 should do it. This removes access from all functions. Add any
 functions that are needed by adding them to the locals dictionary.

 As stated in: http://stackoverflow.com/questions/661084/security-of-
 pythons-eval-on-untrusted-strings
 and http://lybniz2.sourceforge.net/safeeval.html

 Wow, this works, though for much deeper reasons than those given  
 above.

 sage: [].__class__.__subclasses__()[2].is_mutable.__func__.__globals__
 ['__builtins__']
 {'ArithmeticError': type 'exceptions.ArithmeticError',
 ...
 'zip': built-in function zip}

 sage: eval([].__class__.__subclasses__()
 [2].is_mutable.__func__.__globals__['__builtins__'],
 {__builtins__:None}, {})
 
 Traceback (most recent call last):
File ipython console, line 1, in module
File string, line 1, in module
 RuntimeError: restricted attribute

 Even

 sage: eval([].__class__.__subclasses__()[2]([]).save('foo.txt'),
 {__builtins__: None}, {})
 
 Traceback (most recent call last):
File ipython console, line 1, in module
File string, line 1, in module
File sage_object.pyx, line 150, in
 sage.structure.sage_object.SageObject.save (sage/structure/
 sage_object.c:1894)
 IOError: file() constructor not accessible in restricted mode

 In short, if globals()['__builtins__'] != __builtins__ it runs in
 Restricted mode which disallows certain introspections and other
 operations. I don't know that it's bullet proof, but it looks pretty
 solid.

A little googling yielded

http://www.dalkescientific.com/writings/diary/archive/2008/03/03/ 
restricted_python.html

which is one (of who knows how many) holes in restricted mode.

- Robert


--~--~-~--~~~---~--~~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to 
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~--~~~~--~~--~--~---

[sage-support] Re: eval(string)

2009-09-09 Thread Mikie 

I need to be able to input a string like this ---
L1=[3,10,15,23,25,30,3,[5]*3]
Need the repeated values for the 5.  If I don't have repeated values
your code works.
I have done some error traping for eval.  Users can not put
something like rm.

On Sep 8, 2:38 pm, Robert Bradshaw rober...@math.washington.edu
wrote:
 On Sep 8, 2009, at 11:28 AM, Mikie wrote:

  Here is the function
  ---
  def BasicStats1a(exp1):
      v = exp1
      v1 = eval(v);Count_=len(v1)
      sort_v1=sorted(v1)
      M1 =stats.mode(v1); v3=eval(str(M1[0])); v4=eval(str(M1[1]))
      R1 = stats.mean(v1);R2 = stats.median(v1)
      R3 = stats.std(v1)
      var_=R3**2
      return R1,R2,R3,Count_,sort_v1,var_,v3,v4
  
  You can see the eval's.  Is there a security problem with sage_eval?

 Yes.

  The string comes from a form.

 You should look up string processing in Python, I think that would  
 help a lot in much of what you're trying to do here. For example,

 sage: s = 1,2,3,4,100
 sage: [ZZ(x) for x in s.split(',')]
 [1, 2, 3, 4, 100]

 This is fast, safe, and more clear than the above.

 - Robert
--~--~-~--~~~---~--~~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to 
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~--~~~~--~~--~--~---

[sage-support] Re: eval(string)

2009-09-09 Thread Tim Dumol 

`eval(the_string, globals = {__builtins__:None}, locals = {})`
should do it. This removes access from all functions. Add any
functions that are needed by adding them to the locals dictionary.

As stated in: 
http://stackoverflow.com/questions/661084/security-of-pythons-eval-on-untrusted-strings
and http://lybniz2.sourceforge.net/safeeval.html

On Sep 9, 11:50 pm, Mikie thephantom6...@hotmail.com wrote:
 I need to be able to input a string like this ---
 L1=[3,10,15,23,25,30,3,[5]*3]
 Need the repeated values for the 5.  If I don't have repeated values
 your code works.
 I have done some error traping for eval.  Users can not put
 something like rm.

 On Sep 8, 2:38 pm, Robert Bradshaw rober...@math.washington.edu
 wrote:

  On Sep 8, 2009, at 11:28 AM, Mikie wrote:

   Here is the function
   ---
   def BasicStats1a(exp1):
       v = exp1
       v1 = eval(v);Count_=len(v1)
       sort_v1=sorted(v1)
       M1 =stats.mode(v1); v3=eval(str(M1[0])); v4=eval(str(M1[1]))
       R1 = stats.mean(v1);R2 = stats.median(v1)
       R3 = stats.std(v1)
       var_=R3**2
       return R1,R2,R3,Count_,sort_v1,var_,v3,v4
   
   You can see the eval's.  Is there a security problem with sage_eval?

  Yes.

   The string comes from a form.

  You should look up string processing in Python, I think that would  
  help a lot in much of what you're trying to do here. For example,

  sage: s = 1,2,3,4,100
  sage: [ZZ(x) for x in s.split(',')]
  [1, 2, 3, 4, 100]

  This is fast, safe, and more clear than the above.

  - Robert
--~--~-~--~~~---~--~~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to 
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~--~~~~--~~--~--~---

[sage-support] Re: eval(string)

2009-09-08 Thread Harald Schilly 

Can you please elaborate, what kind of list it is? Post an example,
tell us what web form it is (if necessary) and what do you want to do
with it? Besides eval, there is also sage_eval.

H

On Sep 8, 7:01 pm, Mikie thephantom6...@hotmail.com wrote:
 I am taking a string that is a list.  It is coming from a html form.
 Is there anyway other than eval to get the value from the list?  When
 I take a single value from the form I use SR and it works, but no luck
 with the list.
 Thanx
--~--~-~--~~~---~--~~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to 
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~--~~~~--~~--~--~---

[sage-support] Re: eval(string)

2009-09-08 Thread Mikie 

Here is the function
---
def BasicStats1a(exp1):
v = exp1
v1 = eval(v);Count_=len(v1)
sort_v1=sorted(v1)
M1 =stats.mode(v1); v3=eval(str(M1[0])); v4=eval(str(M1[1]))
R1 = stats.mean(v1);R2 = stats.median(v1)
R3 = stats.std(v1)
var_=R3**2
return R1,R2,R3,Count_,sort_v1,var_,v3,v4

You can see the eval's.  Is there a security problem with sage_eval?
The string comes from a form.

On Sep 8, 11:29 am, Harald Schilly harald.schi...@gmail.com wrote:
 Can you please elaborate, what kind of list it is? Post an example,
 tell us what web form it is (if necessary) and what do you want to do
 with it? Besides eval, there is also sage_eval.

 H

 On Sep 8, 7:01 pm, Mikie thephantom6...@hotmail.com wrote:



  I am taking a string that is a list.  It is coming from a html form.
  Is there anyway other than eval to get the value from the list?  When
  I take a single value from the form I use SR and it works, but no luck
  with the list.
  Thanx- Hide quoted text -

 - Show quoted text -
--~--~-~--~~~---~--~~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to 
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~--~~~~--~~--~--~---

[sage-support] Re: eval(string)

2009-09-08 Thread Robert Bradshaw 

On Sep 8, 2009, at 11:28 AM, Mikie wrote:

 Here is the function
 ---
 def BasicStats1a(exp1):
 v = exp1
 v1 = eval(v);Count_=len(v1)
 sort_v1=sorted(v1)
 M1 =stats.mode(v1); v3=eval(str(M1[0])); v4=eval(str(M1[1]))
 R1 = stats.mean(v1);R2 = stats.median(v1)
 R3 = stats.std(v1)
 var_=R3**2
 return R1,R2,R3,Count_,sort_v1,var_,v3,v4
 
 You can see the eval's.  Is there a security problem with sage_eval?

Yes.

 The string comes from a form.

You should look up string processing in Python, I think that would  
help a lot in much of what you're trying to do here. For example,

sage: s = 1,2,3,4,100
sage: [ZZ(x) for x in s.split(',')]
[1, 2, 3, 4, 100]

This is fast, safe, and more clear than the above.

- Robert


--~--~-~--~~~---~--~~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to 
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~--~~~~--~~--~--~---