Quoting "Noah Kantrowitz" <[email protected]>:
If you are calling eval() on a user-provided string you should
assume they can run arbitrary code with the permissions of the
webserver.
Even if I limit the available commands? I use:
eval(argument, {"__builtins__": None}, CalcMacro._localdict)
_localdict contains some Python built-ins and math functions.
If you want to make a single calculation system, PyParsing has one
as an example.
Yes, PyParsing is really nice and capable.
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/trac-users?hl=en.
