In article <[EMAIL PROTECTED]>, Alex Martelli <[EMAIL PROTECTED]> wrote: >Aahz <[EMAIL PROTECTED]> wrote: >> Alex Martelli deleted his own attribution: >>> >>> >>> object.__subclasses__() >> >> One thing my company has done is written a ``safe_eval()`` that uses a >> regex to disable double-underscore access. > >will the regex catch getattr(object, 'subclasses'.join(['_'*2]*2)...?-)
Heheh. No. Then again, security is only as strong as its weakest link, and that quick hack makes this part of our application as secure as the rest. -- Aahz ([EMAIL PROTECTED]) <*> http://www.pythoncraft.com/ "19. A language that doesn't affect the way you think about programming, is not worth knowing." --Alan Perlis -- http://mail.python.org/mailman/listinfo/python-list