On Wed, Nov 26, 2008 at 2:46 PM, Alan Gauld <[EMAIL PROTECTED]> wrote:
>
> "Kent Johnson" <[EMAIL PROTECTED]> wrote
>
>>>>> e = "tuple(" + s + ")"
>>>>>
>>>>> x,y = eval(e) # x -> 2.5, y -> 2.8
>>
>> This works just as well:
>> s = '__import__("os").system("rm -rf /")'
>>
>
> I don' think it would since the eval would call tuple
> which would return a tuple of characters which would
> not unpack into x,y so throwing an error.
Care to try it? It does raise an exception but not until after the
import expression is evaluated and the damage is done.
In [4]: s = '__import__("os").system("dir")'
In [5]: e = "tuple(" + s + ")"
In [6]: eval(e)
echo off
Volume in drive C is unlabeled Serial number is 5487:d172
Directory of C:\Project\Play\*
<snip>
7,757,694 bytes in 3 files and 18 dirs 7,766,016 bytes allocated
96,700,784,640 bytes free
---------------------------------------------------------------------------
TypeError Traceback (most recent call last)
C:\Project\Play\<ipython console> in <module>()
C:\Project\Play\<string> in <module>()
TypeError: 'int' object is not iterable
Kent
_______________________________________________
Tutor maillist - Tutor@python.org
http://mail.python.org/mailman/listinfo/tutor
