On Tuesday, April 5, 2016 at 7:19:39 PM UTC+5:30, Jon Ribbens wrote: > On 2016-04-03, Jon Ribbens wrote: > > I'd just like to say up front that this is more of a thought experiment > > than anything else, I don't have any plans to use this idea on any > > genuinely untrusted code. Apart from anything else, there's the > > denial-of-service issue. > > > > That said, is there any way that the following Python 3.4 code could > > result in a arbitrary code execution security hole? > > > > tree = compile(untrusted_code, "<script>", "eval", ast.PyCF_ONLY_AST) > > for node in ast.walk(tree): > > if (isinstance(node, ast.Name) and node.id.startswith("_") or > > isinstance(node, ast.Attribute) and node.attr.startswith("_")): > > raise ValueError("Access to private values is not allowed.") > > namespace = {"__builtins__": {"int": int, "str": str, "len": len}} > > print(eval(compile(tree, "<script>", "eval"), namespace)) > > Nobody has any thoughts on this at all?
i actually did... But dont know enough of the AST API to figure out what you are trying/avoiding etc -- https://mail.python.org/mailman/listinfo/python-list