Re: how to convert string to list or tuple
Ruud de Jong wrote: Steven Bethard schreef: But unless the person eval-ing your code *only* writes immaculate code I can see that you can probably screw them. ;) I wonder why __subclasses__ isn't a restricted attribute... Is it ever used for something that isn't evil? ;) STeVe Completely off topic, but I just cannot resist showing off. Some time ago I used __subclasses__ in a way that is not evil. I think. The details are described in the following thread: http://groups.google.nl/group/comp.lang.python/browse_thread/thread/5c1 ccb986c66cdc1/ A summary: I used __subclasses__ to apply the Chain-of-Responsibility pattern to object creation. The code would appear to instantiate an object of the root of a class hierarchy, but the actual object that was created would be an instance of a subclass. So to get back to your question: yes, there are non-evil uses for __subclasses__. Weird perhaps, but non-evil. Non-standard, sure . Too clever for my own good, very likely. I've done almost exactly the same thing. The base class uses __subclasses__ to find the best matching subclass based on the factory parameters. In my case I was retrieving files from the web, so I had a base Handler class and created HtmlHandler, ImageHandler c. class Handler(object): '''Class to process files''' __map = {} @classmethod def _resolveClass(klass, isdir, name): map = Handler.__map if not map: for c in klass.__subclasses__(): for ext in c.Extensions: map['.'+ext.lower()] = c if isdir: klass = FolderHandler else: ext = os.path.splitext(name)[1].lower() if ext not in map: map[ext] = DefaultHandler klass = map[ext] return klass(name) @classmethod def fromPathname(klass, name, path, uri, db): isdir = os.path.isdir(os.path.join(path, name)) obj = klass._resolveClass(isdir, name) obj._initialize(name, path, uri, db) return obj @classmethod def fromUrl(klass, uri, text, db=None): ... and so on ... and then subclasses such as: class ImageHandler(Handler): Extensions = ('jpg', 'jpeg', 'gif', 'png') type = 'Image' class DefaultHandler(Handler): Extensions = ('',) type = 'Ignored' This also contains the only code I think I've written with a class definition in a for loop: # General categories EXTENSIONS = { 'js': 'javascript', 'php': 'php', 'doc': 'Word Document', 'xls': 'Spreadsheet', 'ppt': 'Powerpoint', 'css': 'Stylesheet', 'swf': 'Flash', 'pdf': 'File', 'rtf': 'File', 'zip': 'File', } Classes = [] for ext in EXTENSIONS: class GeneralHandler(Handler): Extensions = (ext,) type = EXTENSIONS[ext] Classes.append(GeneralHandler) -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
Steven Bethard wrote: Interestingly, I don't seem to be able to create a file object as a class attribute in restricted mode: py class C(object): ... def __init__(self): ... self.f = file('temp.txt', 'w') ... py eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if cls.__name__ == 'C'][0]().f.write(stuff)''', dict(__builtins__=None)) Traceback (most recent call last): File interactive input, line 1, in ? File string, line 0, in ? AttributeError: 'C' object has no attribute 'f' py eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if cls.__name__ == 'C'][0]().__dict__''', dict(__builtins__=None)) {} Weird. I copied and paste your class and eval exactly (apart from deleting the ... prompts) and it worked exactly as expected: writing 'stuff' to temp.txt. (Python 2.4) -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
flyaflya wrote: a = (1,2,3) I want convert a to tuple:(1,2,3),but tuple(a) return ('(', '1', ',', '2', ',', '3', ')') not (1,2,3) Probably a bit late... but there's always listquote - It's part of the pythonutils module. http://www.voidspace.org.uk/python/pythonutils.html It will turn strings to lists, including nested lists. Best Regards, Fuzzy http://www.voidspace.org.uk/python -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
Duncan Booth wrote: Steven Bethard wrote: Interestingly, I don't seem to be able to create a file object as a class attribute in restricted mode: py class C(object): ... def __init__(self): ... self.f = file('temp.txt', 'w') ... py eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if cls.__name__ == 'C'][0]().f.write(stuff)''', dict(__builtins__=None)) Traceback (most recent call last): File interactive input, line 1, in ? File string, line 0, in ? AttributeError: 'C' object has no attribute 'f' py eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if cls.__name__ == 'C'][0]().__dict__''', dict(__builtins__=None)) {} Weird. I copied and paste your class and eval exactly (apart from deleting the ... prompts) and it worked exactly as expected: writing 'stuff' to temp.txt. (Python 2.4) So, I played around with this a little bit. If I start up a new interpreter and type it in like above, I get the behavior you do. What I had actually done (abbreviated) was: py class C(object): ... pass ... py class C(object): ... def __init__(self): ... self.f = file('temp.txt', 'w') ... py eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if cls.__name__ == 'C'][0]().f.write(stuff)''', dict(__builtins__=None)) Traceback (most recent call last): File interactive input, line 1, in ? File string, line 0, in ? AttributeError: 'C' object has no attribute 'f' And the problem with this is that both __main__.C objects are now subclasses of object: py eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if cls.__name__ == 'C']''', dict(__builtins__=None)) [class '__main__.C', class '__main__.C'] So I was getting the wrong __main__.C object. Sorry for the confusion! Now, even using this technique, *your* code can't call the file constructor: py class C(object): ... def __init__(self): ... self.file = file ... py eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if cls.__name__ == 'C'][-1]().file(temp.txt, w)''', dict(__builtins__=None)) Traceback (most recent call last): File interactive input, line 1, in ? File string, line 0, in ? IOError: file() constructor not accessible in restricted mode But unless the person eval-ing your code *only* writes immaculate code I can see that you can probably screw them. ;) I wonder why __subclasses__ isn't a restricted attribute... Is it ever used for something that isn't evil? ;) STeVe -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
Steven Bethard schreef: But unless the person eval-ing your code *only* writes immaculate code I can see that you can probably screw them. ;) I wonder why __subclasses__ isn't a restricted attribute... Is it ever used for something that isn't evil? ;) STeVe Completely off topic, but I just cannot resist showing off. Some time ago I used __subclasses__ in a way that is not evil. I think. The details are described in the following thread: http://groups.google.nl/group/comp.lang.python/browse_thread/thread/5c1ccb986c66cdc1/ A summary: I used __subclasses__ to apply the Chain-of-Responsibility pattern to object creation. The code would appear to instantiate an object of the root of a class hierarchy, but the actual object that was created would be an instance of a subclass. So to get back to your question: yes, there are non-evil uses for __subclasses__. Weird perhaps, but non-evil. Non-standard, sure . Too clever for my own good, very likely. Regards, Ruud -- Ruud de Jong '@'.join('.'.join(s) for s in (['ruud','de','jong'],['tiscali','nl'])) -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
Steven Bethard wrote: Duncan Booth wrote: any new style class you have defined and call any of its methods with whatever arguments I wish. Any new style class that I've defined? Or just any one I pass in as part of dict(__builtins__=None, ...)? If the former, could you elaborate? If the latter, then yes, I can see the problem. However for the case where all you pass in is dict(__builtins__=None), is there still a risk? Note that in the OP's case, all that is necessary is constant parsing, so no names need to be available. Any new style class you have defined is accessible through object.__subclasses__(), and as I showed object itself is always accessible through {}.__class__.__bases__[0]. I'm assuming that the source code for your program is available. That means I can find the name of an interesting class which has a method that does something destructive, and call it. e.g. Assuming that the MyDatabase class does something nasty to a file: class MyDatabase(object): def __init__(self, filename): self.filename = filename def initialise(self): print Splat %s % self.filename eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if 'MyDatabase' in `cls` ][0]('importantfile').initialise()''', dict(__builtins__=None)) Splat importantfile -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
Duncan Booth wrote: e.g. Assuming that the MyDatabase class does something nasty to a file: class MyDatabase(object): def __init__(self, filename): self.filename = filename def initialise(self): print Splat %s % self.filename eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if 'MyDatabase' in `cls` ][0]('importantfile').initialise()''', dict(__builtins__=None)) Splat importantfile Interestingly, I don't seem to be able to create a file object as a class attribute in restricted mode: py class C(object): ... def __init__(self): ... self.f = file('temp.txt', 'w') ... py eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if cls.__name__ == 'C'][0]().f.write(stuff)''', dict(__builtins__=None)) Traceback (most recent call last): File interactive input, line 1, in ? File string, line 0, in ? AttributeError: 'C' object has no attribute 'f' py eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if cls.__name__ == 'C'][0]().__dict__''', dict(__builtins__=None)) {} I don't get an error for calling the file constructor, but the f attribute is never set AFAICT. STeVe -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
Steven Bethard wrote: Have you tried giving it the string '__import__(os).system(rm -rf *)'? [Don't try that at home children!] But you can try it at home if you set __builtins__ to something other than the default: py eval(__import__(os).system('echo hello'), dict(__builtins__=None)) Traceback (most recent call last): File interactive input, line 1, in ? File string, line 0, in ? NameError: name '__import__' is not defined If you're just doing work with constants, the lack of access to any builtins is ok: py eval((1,2,3), dict(__builtins__=None)) (1, 2, 3) I know there have been security holes in this technique before, but I looked at the archives, and all the old ones I found have been patched. (Or at least I wasn't able to reproduce them.) I guess you are referring to things like this not working when you use eval with an empty __builtins__: eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if '_Printer' in `cls` ][0]._Printer__setup.func_globals['__builtins__']['__import__']''', dict(__builtins__=None)) That gets blocked because func_globals is a 'restricted attribute', so I can't get directly at __import__ that way, but what I can do is to access any new style class you have defined and call any of its methods with whatever arguments I wish. Even with the big holes patched you are going to find it pretty hard to write a safe program that uses eval on untrusted strings. The only way to go is to filter the AST (or possibly the bytecode). -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
Duncan Booth wrote: Steven Bethard wrote: But you can try it at home if you set __builtins__ to something other than the default: py eval(__import__(os).system('echo hello'), dict(__builtins__=None)) Traceback (most recent call last): File interactive input, line 1, in ? File string, line 0, in ? NameError: name '__import__' is not defined [snip] I know there have been security holes in this technique before, but I looked at the archives, and all the old ones I found have been patched. (Or at least I wasn't able to reproduce them.) I guess you are referring to things like this not working when you use eval with an empty __builtins__: eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__() if '_Printer' in `cls` ][0]._Printer__setup.func_globals['__builtins__']['__import__']''', dict(__builtins__=None)) That gets blocked because func_globals is a 'restricted attribute', so I can't get directly at __import__ that way Among other things, yes, that's one of the big ones. func_globals is inaccessible. Also, IIRC the file constructor is inaccessible. but what I can do is to access any new style class you have defined and call any of its methods with whatever arguments I wish. Any new style class that I've defined? Or just any one I pass in as part of dict(__builtins__=None, ...)? If the former, could you elaborate? If the latter, then yes, I can see the problem. However for the case where all you pass in is dict(__builtins__=None), is there still a risk? Note that in the OP's case, all that is necessary is constant parsing, so no names need to be available. STeVe -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
On Thu, 26 May 2005 19:53:38 +0800, flyaflya wrote: a = (1,2,3) I want convert a to tuple:(1,2,3),but tuple(a) return ('(', '1', ',', '2', ',', '3', ')') not (1,2,3) Others have already given some suggestions. Here are some others. You didn't say where the input string a came from. Do you control it? Instead of using: String_Tuple_To_Real_Tuple((1,2,3)) can you just create the tuple in the first place? a = (1, 2, 3) Second suggestion: if you know that the input string will ALWAYS be in the form (1,2,3) then you can do this: a = (1,2,3) a = a[1:-1] # deletes leading and trailing parentheses a = a.split(,) # creates a list [1, 2, 3] (items are strings) a = [int(x) for x in a] # creates a list [1, 2, 3] (items are integers) a = tuple(a) # coverts to a tuple or as a one-liner: a = (1,2,3) a = tuple([int(x) for x in a[1:-1].split(,)]) Best of all, wrap your logic in a function definition with some error-checking: def String_Tuple_To_Real_Tuple(s): Return a tuple of ints from a string that looks like a tuple. if not s: return () if (s[0] == () and s[-1] == )): s = s[1:-1] else: raise ValueError(Missing bracket(s) in string.) return tuple([int(x) for x in s.split(,)]) Hope this helps, -- Steven. -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
Simon Brunning wrote: On 5/26/05, flyaflya [EMAIL PROTECTED] wrote: a = (1,2,3) I want convert a to tuple:(1,2,3),but tuple(a) return ('(', '1', ',', '2', ',', '3', ')') not (1,2,3) Short answer - use eval(). Long answer - *don't* use eval unless you are in control of the source of the string that you are evaluating. Or if you do use eval, don't give it access to any names. import os eval(raw_input(), {}) os.system(rm -rf *) Traceback (most recent call last): File stdin, line 1, in ? File string, line 0, in ? NameError: name 'os' is not defined -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
Dan Bishop wrote: Simon Brunning wrote: [...] Or if you do use eval, don't give it access to any names. [...] os.system(rm -rf *) Traceback (most recent call last): File stdin, line 1, in ? File string, line 0, in ? NameError: name 'os' is not defined Have you tried giving it the string '__import__(os).system(rm -rf *)'? [Don't try that at home children!] Even if you take steps to avoid that working by hiding the builtins, there are still too many ways to do nasty things with eval for it ever to be safe. -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
Duncan Booth [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dan Bishop wrote: Simon Brunning wrote: [...] Or if you do use eval, don't give it access to any names. [...] os.system(rm -rf *) Traceback (most recent call last): File stdin, line 1, in ? File string, line 0, in ? NameError: name 'os' is not defined Have you tried giving it the string '__import__(os).system(rm -rf *)'? [Don't try that at home children!] Even if you take steps to avoid that working by hiding the builtins, there are still too many ways to do nasty things with eval for it ever to be safe. There was a posting here Nov 5, 2003 by Huaiyu Zhu at IBM Almaden that shows how to do eval type stuff safely. The basic notion is to use the compiler and then check the ast to see if the result fits the straitjacket you want to put it into. Pass / Fail; trying to fix it up if it's close is usually a real bad idea. He gives an example, and there's a much more extensive set of working code in the taBase.py module of PyFit that handles lists, tuples and dicts which contain arbitrary literals including complex and arbitrarily nested lists, tuples and dicts. --- code snippet starts here def _safeEval(self, s): Evaluate strings that only contain the following structures: const, tuple, list, dict Taken from c.l.py newsgroup posting Nov 5, 2003 by Huaiyu Zhu at IBM Almaden #print in _safeEval. input: '%s' % s node1 = compiler.parse(s) # !!! special case of attempting to compile a lone string if node1.doc is not None and len(node1.node.nodes) == 0: #print in _safeEval. string: '%s' found as docstring % node1.doc return node1.doc #print in _safeEval. nodes: '%s' % (node1,) stmts = node1.node.nodes assert len(stmts) == 1 node = compiler.parse(s).node.nodes[0] assert node.__class__ == compiler.ast.Discard nodes = node.getChildNodes() assert len(nodes) == 1 result = self._safeAssemble(nodes[0]) #print in _safeEval result: '%s' % (result,) return result seq_types = { compiler.ast.Tuple: tuple, compiler.ast.List: list, } map_types = { compiler.ast.Dict: dict, } oper_types = { compiler.ast.Add: operator.add, compiler.ast.Sub: operator.sub, } builtin_consts = { True: True, False: False, None: None, } def _safeAssemble(self, node): Recursively assemble parsed ast node cls = node.__class__ if cls == compiler.ast.Const: return node.value elif cls in self.seq_types: nodes = node.nodes args = map(self._safeAssemble, nodes) return self.seq_types[cls](args) elif cls in self.map_types: keys, values = zip(*node.items) keys = map(self._safeAssemble, keys) values = map(self._safeAssemble, values) return self.map_types[cls](zip(keys, values)) elif cls in self.oper_types: left = self._safeAssemble(node.left) right = self._safeAssemble(node.right) if type(left) == type(1.0j) or type(right) == type(1.0j): return self.oper_types[cls](left, right) else: raise FitException, (Parse001,) elif cls == compiler.ast.Name: result = self.builtin_consts.get(node.name, ?) if result != ?: return result else: raise FitException, (Parse002, node.name) else: raise FitException, (Parse003, cls) --- end of code snippet --- John Roth -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
Duncan Booth wrote: Dan Bishop wrote: Or if you do use eval, don't give it access to any names. [snip] os.system(rm -rf *) Traceback (most recent call last): File stdin, line 1, in ? File string, line 0, in ? NameError: name 'os' is not defined Have you tried giving it the string '__import__(os).system(rm -rf *)'? [Don't try that at home children!] But you can try it at home if you set __builtins__ to something other than the default: py eval(__import__(os).system('echo hello'), dict(__builtins__=None)) Traceback (most recent call last): File interactive input, line 1, in ? File string, line 0, in ? NameError: name '__import__' is not defined If you're just doing work with constants, the lack of access to any builtins is ok: py eval((1,2,3), dict(__builtins__=None)) (1, 2, 3) I know there have been security holes in this technique before, but I looked at the archives, and all the old ones I found have been patched. (Or at least I wasn't able to reproduce them.) STeVe -- http://mail.python.org/mailman/listinfo/python-list
how to convert string to list or tuple
a = (1,2,3) I want convert a to tuple:(1,2,3),but tuple(a) return ('(', '1', ',', '2', ',', '3', ')') not (1,2,3) -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
On 5/26/05, flyaflya [EMAIL PROTECTED] wrote: a = (1,2,3) I want convert a to tuple:(1,2,3),but tuple(a) return ('(', '1', ',', '2', ',', '3', ')') not (1,2,3) Short answer - use eval(). Long answer - *don't* use eval unless you are in control of the source of the string that you are evaluating. -- Cheers, Simon B, [EMAIL PROTECTED], http://www.brunningonline.net/simon/blog/ -- http://mail.python.org/mailman/listinfo/python-list
Re: how to convert string to list or tuple
flyaflya [EMAIL PROTECTED] wrote: a = (1,2,3) I want convert a to tuple:(1,2,3),but tuple(a) return ('(', '1', ',', '2', ',', '3', ')') not (1,2,3) if you trust the source, use eval(a) if you don't trust it, you can use, say tuple(int(x) for x in re.findall(\d+, a)) or, perhaps tuple(int(x) for x in a[1:-1].split(,)) or some variation thereof. (if you're using a version older than 2.4, add brackets inside the tuple() call: tuple([int(x) for x in a[1:-1].split(,)]) etc. /F -- http://mail.python.org/mailman/listinfo/python-list