Re: Is Eval *always* Evil?
On 11 November 2010 09:07, John Nagle wrote:
>>> Am 10.11.2010 18:56, schrieb Simon Mullis:
>>> Yes, eval is evil, may lead to security issues and it's unnecessary
>>> slow, too.
>
> If you have to use "eval", use the 2 or 3 argument form with a
> "globals" and "locals" dictionary. This lists the variables
> and functions that "eval" can see and touch.
>
> The Python documentation for this is not very good:
> "If the globals dictionary is present and lacks ‘__builtins__’, the current
> globals are copied into globals before expression is parsed. This means that
> expression normally has full access to the standard __builtin__ module and
> restricted environments are propagated."
>
> What this means is that you have to put in "__builtins__" to
> PREVENT all built-ins from being imported.
Aren't I already doing this?
>>> result = eval(xpath_command, {"__builtins__":[]},{"x": x})
SM
--
http://mail.python.org/mailman/listinfo/python-list
Re: Is Eval *always* Evil?
Robert Kern writes: > On 2010-11-10 17:14 , Christian Heimes wrote: >> Am 10.11.2010 18:56, schrieb Simon Mullis: >> >> Yes, eval is evil, may lead to security issues and it's unnecessary >> slow, too. Still - it is used in the standard library... -- http://mail.python.org/mailman/listinfo/python-list
Re: Is Eval *always* Evil?
On 11/10/2010 6:39 PM, Robert Kern wrote: On 2010-11-10 17:14 , Christian Heimes wrote: Am 10.11.2010 18:56, schrieb Simon Mullis: Yes, eval is evil, may lead to security issues and it's unnecessary slow, too. If you have to use "eval", use the 2 or 3 argument form with a "globals" and "locals" dictionary. This lists the variables and functions that "eval" can see and touch. The Python documentation for this is not very good: "If the globals dictionary is present and lacks ‘__builtins__’, the current globals are copied into globals before expression is parsed. This means that expression normally has full access to the standard __builtin__ module and restricted environments are propagated." What this means is that you have to put in "__builtins__" to PREVENT all built-ins from being imported. See http://lybniz2.sourceforge.net/safeeval.html for something readable on how to use "eval" safely. John Nagle -- http://mail.python.org/mailman/listinfo/python-list
Re: Is Eval *always* Evil?
Robert Kern writes: > On 2010-11-10 15:52 , Hrvoje Niksic wrote: >> Simon Mullis writes: >> >>> If "eval" is not the way forward, are there any suggestions for >>> another way to do this? >> >> ast.literal_eval might be the thing for you. > > No, that doesn't work since he needs to call methods. You're right; I misread the post. -- http://mail.python.org/mailman/listinfo/python-list
Re: Is Eval *always* Evil?
In message , Robert Kern wrote: > Well, the key reason he is using strings is so that he can easily slap on > a Django admin UI to allow certain users to add new expressions. lambdas > don't help with that. Provded you can trust the users who are allowed to add such expressions, it’s probably all right. -- http://mail.python.org/mailman/listinfo/python-list
Re: Is Eval *always* Evil?
On 2010-11-10 15:52 , Hrvoje Niksic wrote: Simon Mullis writes: If "eval" is not the way forward, are there any suggestions for another way to do this? ast.literal_eval might be the thing for you. No, that doesn't work since he needs to call methods. -- Robert Kern "I have come to believe that the whole world is an enigma, a harmless enigma that is made terrible by our own mad attempt to interpret it as though it had an underlying truth." -- Umberto Eco -- http://mail.python.org/mailman/listinfo/python-list
Re: Is Eval *always* Evil?
On 2010-11-10 17:14 , Christian Heimes wrote:
Am 10.11.2010 18:56, schrieb Simon Mullis:
Yes, eval is evil, may lead to security issues and it's unnecessary
slow, too.
# In the meantime - and as a proof of concept - I'm using a dict instead.
xpathlib = {
"houses": r'[ y.tag for y in x.xpath("//houses/*") ]',
"names" : r'[ y.text for y in x.xpath("//houses/name") ]',
"footwear_type" : r'[ y.tag for y in
x.xpath("//cupboard/bottom_shelf/*") ]',
"shoes" : r'[ y.text for y in
x.xpath("//cupboard/bottom_shelf/shoes/*") ]',
"interface_types" : r'[ y.text[:2] for y in
x.xpath("//interface/name") ]',
}
You have two possibilities here:
* either learn more XPath. You can do everything with XPath as well,
for example "//houses/name/text()"
* use lambdas instead, for example "names" : lambda x: [y.text for y in
x.xpath("//houses/name")]
Well, the key reason he is using strings is so that he can easily slap on a
Django admin UI to allow certain users to add new expressions. lambdas don't
help with that.
--
Robert Kern
"I have come to believe that the whole world is an enigma, a harmless enigma
that is made terrible by our own mad attempt to interpret it as though it had
an underlying truth."
-- Umberto Eco
--
http://mail.python.org/mailman/listinfo/python-list
Re: Is Eval *always* Evil?
Am 10.11.2010 18:56, schrieb Simon Mullis:
Yes, eval is evil, may lead to security issues and it's unnecessary
slow, too.
> # In the meantime - and as a proof of concept - I'm using a dict instead.
>
> xpathlib = {
> "houses": r'[ y.tag for y in x.xpath("//houses/*") ]',
> "names" : r'[ y.text for y in x.xpath("//houses/name") ]',
> "footwear_type" : r'[ y.tag for y in
> x.xpath("//cupboard/bottom_shelf/*") ]',
> "shoes" : r'[ y.text for y in
> x.xpath("//cupboard/bottom_shelf/shoes/*") ]',
> "interface_types" : r'[ y.text[:2] for y in
> x.xpath("//interface/name") ]',
> }
You have two possibilities here:
* either learn more XPath. You can do everything with XPath as well,
for example "//houses/name/text()"
* use lambdas instead, for example "names" : lambda x: [y.text for y in
x.xpath("//houses/name")]
Christian
--
http://mail.python.org/mailman/listinfo/python-list
Re: Is Eval *always* Evil?
Simon Mullis writes: > If "eval" is not the way forward, are there any suggestions for > another way to do this? ast.literal_eval might be the thing for you. -- http://mail.python.org/mailman/listinfo/python-list
