On 26/11/2008, Alan Gauld <[EMAIL PROTECTED]> wrote:
> You could use eval to evaluate the string but that would be dangerous since
> the striong could be a malicious piece of code. But you can make it a lot
> safer by wrapping it in a function with known effect, thus:
>
> s = "[2.5,2.8]" # your string from the file
>
> e = "tuple(" + e + ")"
>
> x,y = eval(e) # x -> 2.5, y -> 2.8
>
> Now if some crazy code gets read by error the eval will throw an error. Its
> not foolproof but it works for all but the most devious attacks.
If I, as an evildoer, can control e, it seems that I could set it to:
,), __import__('os').system('rm -rf /'
I've never thought of myself as all that devious :-)
--
John.
_______________________________________________
Tutor maillist - Tutor@python.org
http://mail.python.org/mailman/listinfo/tutor
