On Oct 8, 7:34 pm, "Warren DeLano" <[EMAIL PROTECTED]> wrote: > I would like to parse arbitrary insecure text string containing nested > Python data structures in eval-compatible form: > ... > # But I know for certain that the above approach is NOT secure since > object attributes can still be accessed... > > So is there an equally convenient yet secure alternative available for > parsing strings containing Python data structure definitions? > > Thanks in advance for any pointers! > > Cheers, > Warren
As mentioned, I don't know if everything has been tried or how secure what attempts have been. I haven't seen this one: Python 2.6 (r26:66721, Oct 2 2008, 11:35:03) [MSC v.1500 32 bit (Intel)] on win 32 Type "help", "copyright", "credits" or "license" for more information. >>> del __builtins__ >>> a= [ x for x in (1).__class__.__bases__[0].__subclasses__() if x.__name__== 'file' ][ 0 ] >>> a <type 'file'> >>> a('abc.txt','w') Traceback (most recent call last): File "<stdin>", line 1, in <module> IOError: file() constructor not accessible in restricted mode >>> import os Traceback (most recent call last): File "<stdin>", line 1, in <module> ImportError: __import__ not found So, at least one of the newsgroup favorites is gone. Take a shot though! Maybe a variant would be sufficient. No warranty. -- http://mail.python.org/mailman/listinfo/python-list