Dieter Maurer wrote:
- google for the bugs in python's rexec and bastion modules which lead to them being deprecated...


I speak only about "eval" (not "exec" or "rexec" nor "bastion").
In the "eval" world, you only have expressions.
And with the "__builtins__" above, you have no builtin functions,
no classes, no types -- you have just the literals the parser
can recognize: strings, integer, float, None, lists, tuples,
dicts, generators and the typical operators on them.

I suggest you actually follow your own usual advice and do some searching, it's never that simple, as you'll see from the bugs people have encountered with rexec and bastion ;-)

But, for clarity and for the lazy, here's Toby's example of how to get at some interesting classes without using aything but the exec environment you described:

{}.__class__.__bases__[0].__subclasses__()

I know Toby wanted to keep that off-list but I think it's important that people understand just how unsafe it is to exec anything you can't 100% trust.

I have an addage that "there's always something better than exec" and I haven't been proved wrong yet...

cheers,

Chris

--
Simplistix - Content Management, Zope & Python Consulting
           - http://www.simplistix.co.uk
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to