On Wed, Nov 26, 2008 at 2:46 PM, Alan Gauld <[EMAIL PROTECTED]> wrote: > > "Kent Johnson" <[EMAIL PROTECTED]> wrote > >>>>> e = "tuple(" + s + ")" >>>>> >>>>> x,y = eval(e) # x -> 2.5, y -> 2.8 >> >> This works just as well: >> s = '__import__("os").system("rm -rf /")' >> > > I don' think it would since the eval would call tuple > which would return a tuple of characters which would > not unpack into x,y so throwing an error.
Care to try it? It does raise an exception but not until after the import expression is evaluated and the damage is done. In [4]: s = '__import__("os").system("dir")' In [5]: e = "tuple(" + s + ")" In [6]: eval(e) echo off Volume in drive C is unlabeled Serial number is 5487:d172 Directory of C:\Project\Play\* <snip> 7,757,694 bytes in 3 files and 18 dirs 7,766,016 bytes allocated 96,700,784,640 bytes free --------------------------------------------------------------------------- TypeError Traceback (most recent call last) C:\Project\Play\<ipython console> in <module>() C:\Project\Play\<string> in <module>() TypeError: 'int' object is not iterable Kent _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor