On 2013-01-04, Steven D'Aprano <steve+comp.lang.pyt...@pearwood.info> wrote: > On Thu, 03 Jan 2013 23:25:51 +0000, Grant Edwards wrote: > >> I've written a small assembler in Python 2.[67], and it needs to >> evaluate integer-valued arithmetic expressions in the context of a >> symbol table that defines integer values for a set of names.
[...] [ my attaempt at a safer eval() ] > So, here's my probably-not-safe-either "safe eval": > > > def probably_not_safe_eval(expr): > if 'import' in expr.lower(): > raise ParseError("'import' prohibited") > for c in '_"\'.': > if c in expr: > raise ParseError('prohibited char %r' % c) > if len(expr) > 120: > raise ParseError('expression too long') > globals = {'__builtins__': None} > locals = symbolTable > return eval(expr, globals, locals) # fingers crossed! > > I can't think of any way to break out of these restrictions, but that may > just mean I'm not smart enough. I've added equals, backslash, commas, square/curly brackets, colons and semicolons to the prohibited character list. I also reduced the maximum length to 60 characters. It's unfortunate that parentheses are overloaded for both expression grouping and for function calling... def lessDangerousEval(expr): if 'import' in expr.lower(): raise ParseError("'import' prohibited in expression") for c in '_"\'.;:[]{}=\\': if c in expr: raise ParseError("prohibited char '%r' in expression" % c) if len(expr) > 60: raise ParseError('expression too long') globals = {'__builtins__': None} locals = symbolTable return eval(expr, globals, locals) # fingers crossed! Exploits anyone? -- Grant Edwards grant.b.edwards Yow! I'm ZIPPY the PINHEAD at and I'm totally committed gmail.com to the festive mode. -- http://mail.python.org/mailman/listinfo/python-list