On 14/12/09 21:26 +0100, Hartmut Goebel wrote: > Chenal Bertrand schrieb: > > > Nice improvement. I forgot to say that with my version, because there is > > no need of eval anymore, there is no more risk of code injection (even > > if the current eval usage has been secured). > > ACK. Instead of eval() we could use a simple implementation based on the > Python modules parser and ast*). These will give us a tree we just need > to walk the tree pre-order. > > *) I'm not sure whether these modules are available in Python 2.4, but I > think so. Otherwise we could implement a simple parser using pyparsing, > which is already used for Tryton.
I don't agree on the fact that the server must parse the code. It will overload it for no benefit for the current implementation. And if it is needed to parse the python code, I would prefer to have it on client side, it will scale better. And if we keep python code, we don't need to implement new parsing/VM in the client nor in the server as we still use safe_eval. And we could not ask people to write a complete python VM to evaluate those strings (AST). We should limit to some functionnalities as I said in previous emails. And with simple python statement, they can be transform easily into many other language statements with simple string replace. -- Cédric Krier B2CK SPRL Rue de Rotterdam, 4 4000 Liège Belgium Tel: +32 472 54 46 59 Email: [email protected] Jabber: [email protected] Website: http://www.b2ck.com/ twitter: http://twitter.com/cedrickrier identi.ca: http://identi.ca/cedrickrier
pgppd994cuyDy.pgp
Description: PGP signature
