On Wed, Oct 8, 2008 at 5:34 PM, Warren DeLano <[EMAIL PROTECTED]> wrote: > > I would like to parse arbitrary insecure text string containing nested > Python data structures in eval-compatible form: > > # For example, given a "config.txt" such as: > > { > 'my_atom' : 1.20, > 'my_dict' : { 2:50 , 'hi':'mom'}, > 'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ] > } > > # I would like to do something like this: > > empty_space = {'__builtins__' : {}} > > try: > config = eval(open("config.txt").read(), empty_space, empty_space) > except: > config = {} > > print config > > # But I know for certain that the above approach is NOT secure since > object attributes can still be accessed... > > So is there an equally convenient yet secure alternative available for > parsing strings containing Python data structure definitions?
Assuming the data structures are sufficiently basic, i.e. no class instanciations, you can just use the json (AKA simplejson) library to deserialize the data in the string. Python and JSON conveniently happen to share the same syntax for literals (except for booleans IIRC). Also, if this is your program's config file, you might consider changing it to INI-format and using ConfigParser (http://www.python.org/doc/2.5.2/lib/module-ConfigParser.html) instead. Cheers, Chris -- Follow the path of the Iguana... http://rebertia.com > > Thanks in advance for any pointers! > > Cheers, > Warren > > > -- > http://mail.python.org/mailman/listinfo/python-list > -- http://mail.python.org/mailman/listinfo/python-list