Duncan Booth wrote:
I'm slightly surprised that nobody has yet pointed out that the OP failed
at the very first hurdle here. If you are going to do this dangerous trick
then 'builtins' should be spelled '__builtins__':
I did, because otherwise the exploit I gave wouldn't have worked so
Erik Max Francis [EMAIL PROTECTED] wrote:
This is an _extremely_ bad idea. _Never_ use eval in a case where you
are trying to validate input.
def e(source): return eval(source, {'builtins': {}})
...
e('__import__(sys).exit()')
Oops, the interpreter exited.
I'm slightly surprised
Absent from http://www.python.org/doc/current/lib/built-in-funcs.html
but now copied to the Faq list of http://pyfaq.infogami.com/suggest,
from these clp archives:
///
Q: How can I tell Python to calculate what quoted strings and numbers
mean, without also accidentally accepting OS commands as
[EMAIL PROTECTED] wrote:
Absent from http://www.python.org/doc/current/lib/built-in-funcs.html
but now copied to the Faq list of http://pyfaq.infogami.com/suggest,
from these clp archives:
///
Q: How can I tell Python to calculate what quoted strings and numbers
mean, without also
[EMAIL PROTECTED] writes:
Q: How can I tell Python to calculate what quoted strings and numbers
mean, without also accidentally accepting OS commands as input?
A: eval(source, {'builtins': {}})
That is dangerous. Consider source = 9**9**9. There's a better
recipe on ASPN: