Chris Withers wrote at 2008-2-7 10:25 +0000: >Bill Campbell wrote: >> On Thu, Feb 07, 2008, Stefano Guglia wrote: >>> hello! >>> >>> I converted a dictionary in a string, and now I need to change back the >>> same string as a dictionary in a zope python script. >> >> s = repr(d) >> newdict = eval(s) > >NO! > >Never ever ever eval strings. At some point you will end up eval'ing an >user-supplied string and hey presto - instant massive security >vulnerability.
It is easy to secure "eval": globs = {'__builtins__':{}} eval(s, globs, globs) This ensures that "eval" cannot use any builtin functions -- especially, it cannot import anything. -- Dieter _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )