Gregory Ewing wrote:
> I posted a demonstration of this earlier in this thread.
As you wrote, your example does not work when using eval() like
in my original post with second and third parameter to eval():
>>> import math
>>> eval("[c for c in (0).__class__.__bases__[0].__subclasses__() if c.__n
Steven D'Aprano wrote:
Not that I don't believe you (I do!) but could you demonstrate for the
record?
I posted a demonstration of this earlier in this thread. The
key thing is the __subclasses__() method of a class. You can
start with any object, work your way up the base class chain
to object
On Wed, 24 Feb 2010 10:11:25 +0100, Dieter Maurer wrote:
> Using functionality introduced with the class/type homogenization, it is
> quite easy to get access to the "file" type (even when "__builtins__" is
> disabled). Having "file", arbitrary files can be read, written,
> destroyed...
Not that
Steven D'Aprano writes on 22 Feb 2010
06:07:05 GMT:
> ...
> It's *especially* not safe if you put nothing in the globals dict,
> because Python kindly rectifies that by putting the builtins into it:
>
> >>> eval("__builtins__.keys()", {}, {})
> ['IndexError', 'all', 'help', 'vars', ... 'Overflo
On Mon, 22 Feb 2010 11:45:10 -0800, Jonathan Gardner wrote:
> Why would you ever run untrusted code on any machine in any language,
> let alone Python?
Because sometimes you have to run untrusted code, so you want to run it
in a sandbox so it can't eat your machine.
E.g. viewing PDF files.
Or
On Sun, Feb 21, 2010 at 1:25 PM, W. Martin Borgert wrote:
>
> I know that this issue has been discussed before, but most of
> the time using only one argument to eval().
>
> Is it possible to use the following code, e.g. run as part of a
> web application, to break in and if so, how?
>
> import ma
On Mon, 22 Feb 2010 18:45:40 +1300, Gregory Ewing wrote:
> W. Martin Borgert wrote:
>
>> def myeval(untrustedinput):
>> return eval(untrustedinput, {"__builtins__": None},
>> { "abs": abs, "sin": math.sin })
>>
>> Is it possible to define functions or import modules from the
W. Martin Borgert wrote:
def myeval(untrustedinput):
return eval(untrustedinput, {"__builtins__": None},
{ "abs": abs, "sin": math.sin })
Is it possible to define functions or import modules from the
untrusted input string?
This is NOT safe as it stands. It still isn't saf
On Sun, 21 Feb 2010 22:25:11 +0100, W. Martin Borgert wrote:
> Hi,
>
> I know that this issue has been discussed before, but most of the time
> using only one argument to eval().
>
> Is it possible to use the following code, e.g. run as part of a web
> application, to break in and if so, how?
>
Hi,
I know that this issue has been discussed before, but most of
the time using only one argument to eval().
Is it possible to use the following code, e.g. run as part of a
web application, to break in and if so, how?
import math
def myeval(untrustedinput):
return eval(untrustedinput, {"__
10 matches
Mail list logo