"John Fouhy" <[EMAIL PROTECTED]> wrote
e = "tuple(" + e + ")"
x,y = eval(e) # x -> 2.5, y -> 2.8
If I, as an evildoer, can control e, it seems that I could set it
to:
,), __import__('os').system('rm -rf /'
I've never thought of myself as all that devious :-)
Sorry John, too fast in hitting reply.
I didn't notice the closing quote in the original - too early
in the morning! - yes that would trip it up.
But that would be a specific bit of code aimed at a
specific eval - in other words the perp would need to
know that the eval had a function call in it. So yes
you do classify as devious in my definition! :-)
Someone just typing valid Python code into an input
in the hope of causing havoc would not succeed,
you need to know to close parens and leave an
unclosed paren at the end.
But yes, the eval is not foolproof and if that is a cause
for concern then parse the string.
Alan g
_______________________________________________
Tutor maillist - Tutor@python.org
http://mail.python.org/mailman/listinfo/tutor
