Re: [Zope] python script, from string to dictionary.
Dieter Maurer wrote:
- google for the bugs in python's
rexec and bastion modules which lead to them being deprecated...
I speak only about eval (not exec or rexec nor bastion).
In the eval world, you only have expressions.
And with the __builtins__ above, you have no builtin functions,
no classes, no types -- you have just the literals the parser
can recognize: strings, integer, float, None, lists, tuples,
dicts, generators and the typical operators on them.
I suggest you actually follow your own usual advice and do some
searching, it's never that simple, as you'll see from the bugs people
have encountered with rexec and bastion ;-)
But, for clarity and for the lazy, here's Toby's example of how to get
at some interesting classes without using aything but the exec
environment you described:
{}.__class__.__bases__[0].__subclasses__()
I know Toby wanted to keep that off-list but I think it's important that
people understand just how unsafe it is to exec anything you can't 100%
trust.
I have an addage that there's always something better than exec and I
haven't been proved wrong yet...
cheers,
Chris
--
Simplistix - Content Management, Zope Python Consulting
- http://www.simplistix.co.uk
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
[EMAIL PROTECTED] wrote:
I 'serialized' mysql data in order to flat one-to-many related tables. the
resulting dictionaries (one per record) are i.e. as:
mydict [ brandcode ] =
{
'itemcode': 'some value',
'itemsizeavail':
[
('XL',),
('XXL',),
('S',)
],
'keythree': '',
'keyfour': [ ],
...
}
now then I can index the whole content in order to get it searchable from the
Plone quick search form.
This is more than a little insane...
mydict [ ] records are then saved as strings in a DB table records.
?!
cheers,
Chris
--
Simplistix - Content Management, Zope Python Consulting
- http://www.simplistix.co.uk
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
Dieter Maurer wrote:
It is easy to secure eval:
globs = {'__builtins__':{}}
eval(s, globs, globs)
This ensures that eval cannot use any builtin functions --
especially, it cannot import anything.
I'm fairly sure this isn't enough - google for the bugs in python's
rexec and bastion modules which lead to them being deprecated...
cheers,
Chris
--
Simplistix - Content Management, Zope Python Consulting
- http://www.simplistix.co.uk
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
Chris Withers wrote at 2008-2-8 11:14 +:
Dieter Maurer wrote:
It is easy to secure eval:
globs = {'__builtins__':{}}
eval(s, globs, globs)
This ensures that eval cannot use any builtin functions --
especially, it cannot import anything.
I'm fairly sure this isn't enough
That you are fairly sure is not enough -- unless you
show me an exploit
- google for the bugs in python's
rexec and bastion modules which lead to them being deprecated...
I speak only about eval (not exec or rexec nor bastion).
In the eval world, you only have expressions.
And with the __builtins__ above, you have no builtin functions,
no classes, no types -- you have just the literals the parser
can recognize: strings, integer, float, None, lists, tuples,
dicts, generators and the typical operators on them.
You are able to construct huge objects and can cause denial of service.
But this is possible even without eval
--
Dieter
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
Bill Campbell wrote: On Thu, Feb 07, 2008, Stefano Guglia wrote: hello! I converted a dictionary in a string, and now I need to change back the same string as a dictionary in a zope python script. s = repr(d) newdict = eval(s) NO! Never ever ever eval strings. At some point you will end up eval'ing an user-supplied string and hey presto - instant massive security vulnerability. The original post is a bit crap, since no mention was made as to how the dict was turned into a string. As to what he wants to do with this and why he's doing it, that's likely the source of the real problem! cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
On Thursday 07 February 2008 11:25:07 Chris Withers wrote:
Bill Campbell wrote:
On Thu, Feb 07, 2008, Stefano Guglia wrote:
hello!
I converted a dictionary in a string, and now I need to change back the
same string as a dictionary in a zope python script.
s = repr(d)
newdict = eval(s)
NO!
Never ever ever eval strings. At some point you will end up eval'ing an
user-supplied string and hey presto - instant massive security
vulnerability.
The original post is a bit crap, since no mention was made as to how the
dict was turned into a string. As to what he wants to do with this and
why he's doing it, that's likely the source of the real problem!
cheers,
Chris
I 'serialized' mysql data in order to flat one-to-many related tables. the
resulting dictionaries (one per record) are i.e. as:
mydict [ brandcode ] =
{
'itemcode': 'some value',
'itemsizeavail':
[
('XL',),
('XXL',),
('S',)
],
'keythree': '',
'keyfour': [ ],
...
}
now then I can index the whole content in order to get it searchable from the
Plone quick search form.
mydict [ ] records are then saved as strings in a DB table records.
I need now to pass again from string to dict, to access key/values and print
detailed reports.
could you have much better ideas on how to, pls let us know. I handle python,
zope etc. at a very basic level now, so surely I've missed some features
I'm sorry if I wasn't clear, and thanks!
Stefano.
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
Chris Withers wrote at 2008-2-7 10:25 +:
Bill Campbell wrote:
On Thu, Feb 07, 2008, Stefano Guglia wrote:
hello!
I converted a dictionary in a string, and now I need to change back the
same string as a dictionary in a zope python script.
s = repr(d)
newdict = eval(s)
NO!
Never ever ever eval strings. At some point you will end up eval'ing an
user-supplied string and hey presto - instant massive security
vulnerability.
It is easy to secure eval:
globs = {'__builtins__':{}}
eval(s, globs, globs)
This ensures that eval cannot use any builtin functions --
especially, it cannot import anything.
--
Dieter
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
On Thu, Feb 07, 2008, Stefano Guglia wrote: hello! I converted a dictionary in a string, and now I need to change back the same string as a dictionary in a zope python script. s = repr(d) newdict = eval(s) Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 That rifle on the wall of the labourer's cottage or working class flat is the symbol of democracy. It is our job to see that it stays there. --GEORGE ORWELL ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
