Dieter Maurer wrote:
- google for the bugs in python's
rexec and bastion modules which lead to them being deprecated...
I speak only about "eval" (not "exec" or "rexec" nor "bastion").
In the "eval" world, you only have expressions.
And with the "__builtins__" above, you have no builtin functions,
no classes, no types -- you have just the literals the parser
can recognize: strings, integer, float, None, lists, tuples,
dicts, generators and the typical operators on them.
I suggest you actually follow your own usual advice and do some
searching, it's never that simple, as you'll see from the bugs people
have encountered with rexec and bastion ;-)
But, for clarity and for the lazy, here's Toby's example of how to get
at some interesting classes without using aything but the exec
environment you described:
{}.__class__.__bases__[0].__subclasses__()
I know Toby wanted to keep that off-list but I think it's important that
people understand just how unsafe it is to exec anything you can't 100%
trust.
I have an addage that "there's always something better than exec" and I
haven't been proved wrong yet...
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
_______________________________________________
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
