"Kent Johnson" <[EMAIL PROTECTED]> wrote
e = "tuple(" + s + ")"
x,y = eval(e) # x -> 2.5, y -> 2.8
This works just as well:
s = '__import__("os").system("rm -rf /")'
I don' think it would since the eval would call tuple
which would return a tuple of characters which would
not unpack into x,y so throwing an error.
But John's example with the closing paren definitely would work.
So the moral is don't be lazy parse the input if theere is
any possibility of hostile (or just uncontrolled) access to the
input....
--
Alan Gauld
Author of the Learn to Program web site
http://www.freenetpages.co.uk/hp/alan.gauld
_______________________________________________
Tutor maillist - [email protected]
http://mail.python.org/mailman/listinfo/tutor
