Dieter Maurer wrote:
- google for the bugs in python's rexec and bastion modules which lead to them being deprecated...

I speak only about "eval" (not "exec" or "rexec" nor "bastion").
In the "eval" world, you only have expressions.
And with the "__builtins__" above, you have no builtin functions,
no classes, no types -- you have just the literals the parser
can recognize: strings, integer, float, None, lists, tuples,
dicts, generators and the typical operators on them.

I suggest you actually follow your own usual advice and do some searching, it's never that simple, as you'll see from the bugs people have encountered with rexec and bastion ;-)

But, for clarity and for the lazy, here's Toby's example of how to get at some interesting classes without using aything but the exec environment you described:


I know Toby wanted to keep that off-list but I think it's important that people understand just how unsafe it is to exec anything you can't 100% trust.

I have an addage that "there's always something better than exec" and I haven't been proved wrong yet...



Simplistix - Content Management, Zope & Python Consulting
Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to