Re: [Zope] python script, from string to dictionary.
Dieter Maurer wrote: - google for the bugs in python's rexec and bastion modules which lead to them being deprecated... I speak only about "eval" (not "exec" or "rexec" nor "bastion"). In the "eval" world, you only have expressions. And with the "__builtins__" above, you have no builtin functions, no classes, no types -- you have just the literals the parser can recognize: strings, integer, float, None, lists, tuples, dicts, generators and the typical operators on them. I suggest you actually follow your own usual advice and do some searching, it's never that simple, as you'll see from the bugs people have encountered with rexec and bastion ;-) But, for clarity and for the lazy, here's Toby's example of how to get at some interesting classes without using aything but the exec environment you described: {}.__class__.__bases__[0].__subclasses__() I know Toby wanted to keep that off-list but I think it's important that people understand just how unsafe it is to exec anything you can't 100% trust. I have an addage that "there's always something better than exec" and I haven't been proved wrong yet... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
Chris Withers wrote at 2008-2-8 11:14 +: >Dieter Maurer wrote: >> It is easy to secure "eval": >> >>globs = {'__builtins__':{}} >>eval(s, globs, globs) >> >> This ensures that "eval" cannot use any builtin functions -- >> especially, it cannot import anything. > >I'm fairly sure this isn't enough That you are fairly sure is not enough -- unless you show me an exploit >- google for the bugs in python's >rexec and bastion modules which lead to them being deprecated... I speak only about "eval" (not "exec" or "rexec" nor "bastion"). In the "eval" world, you only have expressions. And with the "__builtins__" above, you have no builtin functions, no classes, no types -- you have just the literals the parser can recognize: strings, integer, float, None, lists, tuples, dicts, generators and the typical operators on them. You are able to construct huge objects and can cause denial of service. But this is possible even without "eval" -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
Dieter Maurer wrote: It is easy to secure "eval": globs = {'__builtins__':{}} eval(s, globs, globs) This ensures that "eval" cannot use any builtin functions -- especially, it cannot import anything. I'm fairly sure this isn't enough - google for the bugs in python's rexec and bastion modules which lead to them being deprecated... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
[EMAIL PROTECTED] wrote: I 'serialized' mysql data in order to flat one-to-many related tables. the resulting dictionaries (one per record) are i.e. as: mydict [ brandcode ] = { 'itemcode': 'some value', 'itemsizeavail': [ ('XL',), ('XXL',), ('S',) ], 'keythree': '', 'keyfour': [ ], ... } now then I can index the whole content in order to get it searchable from the Plone quick search form. This is more than a little insane... mydict [ ] records are then saved as strings in a DB table records. ?! cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
Chris Withers wrote at 2008-2-7 10:25 +: >Bill Campbell wrote: >> On Thu, Feb 07, 2008, Stefano Guglia wrote: >>> hello! >>> >>> I converted a dictionary in a string, and now I need to change back the >>> same string as a dictionary in a zope python script. >> >> s = repr(d) >> newdict = eval(s) > >NO! > >Never ever ever eval strings. At some point you will end up eval'ing an >user-supplied string and hey presto - instant massive security >vulnerability. It is easy to secure "eval": globs = {'__builtins__':{}} eval(s, globs, globs) This ensures that "eval" cannot use any builtin functions -- especially, it cannot import anything. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
On Thursday 07 February 2008 11:25:07 Chris Withers wrote: > Bill Campbell wrote: > > On Thu, Feb 07, 2008, Stefano Guglia wrote: > >> hello! > >> > >> I converted a dictionary in a string, and now I need to change back the > >> same string as a dictionary in a zope python script. > > > > s = repr(d) > > newdict = eval(s) > > NO! > > Never ever ever eval strings. At some point you will end up eval'ing an > user-supplied string and hey presto - instant massive security > vulnerability. > > The original post is a bit crap, since no mention was made as to how the > dict was turned into a string. As to what he wants to do with this and > why he's doing it, that's likely the source of the real problem! > > cheers, > > Chris I 'serialized' mysql data in order to flat one-to-many related tables. the resulting dictionaries (one per record) are i.e. as: mydict [ brandcode ] = { 'itemcode': 'some value', 'itemsizeavail': [ ('XL',), ('XXL',), ('S',) ], 'keythree': '', 'keyfour': [ ], ... } now then I can index the whole content in order to get it searchable from the Plone quick search form. mydict [ ] records are then saved as strings in a DB table records. I need now to pass again from string to dict, to access key/values and print detailed reports. could you have much better ideas on how to, pls let us know. I handle python, zope etc. at a very basic level now, so surely I've missed some features I'm sorry if I wasn't clear, and thanks! Stefano. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
Bill Campbell wrote: On Thu, Feb 07, 2008, Stefano Guglia wrote: hello! I converted a dictionary in a string, and now I need to change back the same string as a dictionary in a zope python script. s = repr(d) newdict = eval(s) NO! Never ever ever eval strings. At some point you will end up eval'ing an user-supplied string and hey presto - instant massive security vulnerability. The original post is a bit crap, since no mention was made as to how the dict was turned into a string. As to what he wants to do with this and why he's doing it, that's likely the source of the real problem! cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] python script, from string to dictionary.
On Thu, Feb 07, 2008, Stefano Guglia wrote: >hello! > >I converted a dictionary in a string, and now I need to change back the >same string as a dictionary in a zope python script. s = repr(d) newdict = eval(s) Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 That rifle on the wall of the labourer's cottage or working class flat is the symbol of democracy. It is our job to see that it stays there. --GEORGE ORWELL ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] python script, from string to dictionary.
hello! I converted a dictionary in a string, and now I need to change back the same string as a dictionary in a zope python script. Any help? thanks, Stefano. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )