[TurboGears] Re: using eval safely?

[Krys]

Hi there,

it seems to me that your eval("someinstance.object." + userinput) is
functionally equivalent to getattr(someinstance.object, userinput),
which would be safer and yet still flexible.

The using a dictionary (as mentioned below), or your attrdict is doing
essentially the same thing.

Also, FWIW, TurboGears already has an attrdict-lke object called a
Bunch.  Using it would save you some code and having to maintain the
attrdict.  It's in turbogears.util, I believe.

Anyway, hope this helps.
Krys

On Mar 20, 5:35 pm, Nick Murdoch <[EMAIL PROTECTED]> wrote:
> I came across a circumstance today where it'd have been really useful to
> do eval("someinstance.object." + userinput) but, well, for a start that
> looks UGLY. I ended up just reimplementing the object as a subclass of dict.
>
> class attrdict(dict):
>         def __getattr__(self, name):
>                 return self[name]
>         def __setattr__(self, name, val):
>                 self[name] = val
>
> Saves having to rewrite all your previous code with object.something
> rather than object['something']. :)
>
> Rick wrote:
> > I can't think of anything at all you can do here -- one word will just
> > do a lookup in the locals(), and failing that, the globals() dict and
> > return you the object.  There is no method of which I'm aware to
> > subvert that process.  (But just to be sure, why not just do
> > locals().get(name, globals().get(name))?  It's also safe, doesn't
> > incur the re overhead, and doesn't tempt you to later allow the user
> > to do other stuff.)
>
> > On Mar 20, 4:16 pm, iain duncan <[EMAIL PROTECTED]> wrote:
> >> I know one has to be *very careful* using eval with anything that comes
> >> from a url submission. It would however, but out a lot of conditionals.
> >> Can anyone tell me if it is safe to eval a string provided I previously
> >> do a positive match against it with an re containing alphabetical
> >> characters only? Is there anyway for python to do damage evaling one
> >> word?
>
> >> Thanks
> >> Iain


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"TurboGears" group.
To post to this group, send email to turbogears@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---