En Thu, 17 May 2007 18:29:35 -0300, GreenH <[EMAIL PROTECTED]>
escribió:
> Thanks, But, my interest is actually in finding the cases in which
> eval(expr) would throw surprises at me by bringing changes in
> namespace(s), just because I haven't given a namespace for that eval()
> i.e., where would we see the perils of not passing namespace to the
> 'eval'.
As already said, it's hard to make changes to the local namespace, but the
global namespace is directly accessible.
py> z = {'a': 1}
py> eval("z.setdefault('b',2)")
2
py> z
{'a': 1, 'b': 2}
eval is unsafe by definition, even if you provide your own namespaces. If
you can't trust the expression to be evaluated, don't use eval if you are
minimally concerned about security.
--
Gabriel Genellina
--
http://mail.python.org/mailman/listinfo/python-list
