Chris Withers wrote at 2008-2-7 10:25 +0000:
>Bill Campbell wrote:
>> On Thu, Feb 07, 2008, Stefano Guglia wrote:
>>> hello!
>>>
>>> I converted a dictionary in a string, and now I need to change back the
>>> same string as a dictionary in a zope python script.
>>
>> s = repr(d)
>> newdict = eval(s)
>
>NO!
>
>Never ever ever eval strings. At some point you will end up eval'ing an
>user-supplied string and hey presto - instant massive security
>vulnerability.
It is easy to secure "eval":
globs = {'__builtins__':{}}
eval(s, globs, globs)
This ensures that "eval" cannot use any builtin functions --
especially, it cannot import anything.
--
Dieter
_______________________________________________
Zope maillist - [email protected]
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
