Sion Arrowsmith wrote:I'm probably not thinking deviously enough here, but how are you going to exploit an eval() which has very tightly controlled globals and locals (eg. eval(x, {"__builtins__": None}, {}) ?
try this:
eval("'*'*1000000*2*2*2*2*2*2*2*2*2")
I updated the safe eval recipe I posted yesterday to add the option of reporting unsafe source, rather than silently ignoring it. Is this completely safe? I'm interested in feedback.
Michael
Some source to try:
>>> goodsource = """[1, 2, 'Joe Smith', 8237972883334L, # comment
... {'Favorite fruits': ['apple', 'banana', 'pear']}, # another comment
... 'xyzzy', [3, 5, [3.14159, 2.71828, []]]]"""
...Unquoted string literal
>>> badsource = """[1, 2, JoeSmith, 8237972883334L, # comment
... {'Favorite fruits': ['apple', 'banana', 'pear']}, # another comment
... 'xyzzy', [3, 5, [3.14159, 2.71828, []]]]"""
...
Non-constant expression
>>> effbot = "'*'*1000000*2*2*2*2*2*2*2*2*2">>> safe_eval(good_source)
[1, 2, 'Joe Smith', 8237972883334L, {'Favorite fruits': ['apple', 'banana', 'pear']}, 'xyzzy', [3, 5, [3.1415899999999999, 2.71828, []]]]
>>> assert _ == eval(good_source)
>>> safe_eval(bad_source) Traceback (most recent call last): [...] Unsafe_Source_Error: Line 1. Strings must be quoted: JoeSmith
>>> safe_eval(bad_source, fail_on_error = False)
[1, 2, None, 8237972883334L, {'Favorite fruits': ['apple', 'banana', 'pear']}, 'xyzzy', [3, 5, [3.1415899999999999, 2.71828, []]]]
>>> safe_eval(effbot) Traceback (most recent call last): [...] Unsafe_Source_Error: Line 1. Unsupported source construct: compiler.ast.Mul
>>> safe_eval(effbot, fail_on_error = False) ... '*' >>>
Source:
import compiler
class Unsafe_Source_Error(Exception):
def __init__(self,error,descr = None,node = None):
self.error = error
self.descr = descr
self.node = node
self.lineno = getattr(node,"lineno",None) def __repr__(self):
return "Line %d. %s: %s" % (self.lineno, self.error, self.descr)
__str__ = __repr__class AbstractVisitor(object):
def __init__(self):
self._cache = {} # dispatch table def visit(self, node,**kw):
cls = node.__class__
meth = self._cache.setdefault(cls,
getattr(self,'visit'+cls.__name__,self.default))
return meth(node, **kw) def default(self, node, **kw):
for child in node.getChildNodes():
return self.visit(child, **kw)
visitExpression = defaultclass SafeEval(AbstractVisitor):
def visitConst(self, node, **kw):
return node.value def visitDict(self,node,**kw):
return dict([(self.visit(k),self.visit(v)) for k,v in node.items]) def visitTuple(self,node, **kw):
return tuple(self.visit(i) for i in node.nodes) def visitList(self,node, **kw):
return [self.visit(i) for i in node.nodes]class SafeEvalWithErrors(SafeEval):
def default(self, node, **kw):
raise Unsafe_Source_Error("Unsupported source construct",
node.__class__,node) def visitName(self,node, **kw):
raise Unsafe_Source_Error("Strings must be quoted",
node.name, node)# Add more specific errors if desired
def safe_eval(source, fail_on_error = True): walker = fail_on_error and SafeEvalWithErrors() or SafeEval() try: ast = compiler.parse(source,"eval") except SyntaxError, err: raise try: return walker.visit(ast) except Unsafe_Source_Error, err: raise
-- http://mail.python.org/mailman/listinfo/python-list
