Quoting "Noah Kantrowitz" <n...@coderanger.net>:
If you are calling eval() on a user-provided string you should assume they can run arbitrary code with the permissions of the webserver.
Even if I limit the available commands? I use: eval(argument, {"__builtins__": None}, CalcMacro._localdict) _localdict contains some Python built-ins and math functions.
If you want to make a single calculation system, PyParsing has one as an example.
Yes, PyParsing is really nice and capable. -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-us...@googlegroups.com. To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.