Stephen Thorne <[EMAIL PROTECTED]> wrote: > On Sat, 29 Jan 2005 08:53:45 -0600, Skip Montanaro <[EMAIL PROTECTED]> wrote: > > > > >> One thing my company has done is written a ``safe_eval()`` that uses > > >> a regex to disable double-underscore access. > > > > Alex> will the regex catch getattr(object, > > Alex> 'subclasses'.join(['_'*2]*2)...?-) > > > > Now he has two problems. ;-) > > I nearly asked that question, then I realised that 'getattr' is quite > easy to remove from the global namespace for the code in question, and > assumed that they had already thought of that.
OK then -- vars(type(object)) is a dict which has [[the unbound-method equivalent of]] object.__subclasses__ at its entry for key '__subclasses__'. Scratch 'vars' in addition to 'getattr'. And 'eval' of course, or else building up the string 'object.__subclasses__' (in a way the regex won't catch) then eval'ing it is easy. I dunno, maybe I'm just being pessimistic, I guess... Alex -- http://mail.python.org/mailman/listinfo/python-list