On Sun, 21 Feb 2010 22:25:11 +0100, W. Martin Borgert wrote: > Hi, > > I know that this issue has been discussed before, but most of the time > using only one argument to eval(). > > Is it possible to use the following code, e.g. run as part of a web > application, to break in and if so, how? > > import math > > def myeval(untrustedinput): > return eval(untrustedinput, {"__builtins__": None}, > { "abs": abs, "sin": math.sin }) > > Is it possible to define functions or import modules from the untrusted > input string? > > Which Python built-ins and math functions would I have to add to the > functions dictionary to make it unsafe?
You've got the right idea, but the task is difficult. Please read this thread: http://tav.espians.com/a-challenge-to-break-python-security.html -- Steven -- http://mail.python.org/mailman/listinfo/python-list