On Jan 16, 3:45 pm, mario ruggier <mario.rugg...@gmail.com> wrote:
> > '(x for x in ()).throw("bork")'
>
> What is the potential security risk with this one?I don't see a concrete issue, just found it tempting... raising hand- crafted objects :) > All the above attempts will be blocked this way. Any other disallow- > sub-strings to add to the list above? None that I know of, but I suggest testing with dir, globals, locals and '__' enabled (which I haven't done yet), as spotting possible flaws should be easier. If you can get BOM+encoded garbage tested (see http://tinyurl.com/72d98y ), it might be worth it too. This one fails in lots of interesting ways when you juggle keyword- args around: exprs = [ 'evoque("hmm", filters=[unicode.upper ] ,src="/etc/python2.5/ site.py")', ] > And thanks a lot Daniel, need to find a way to get somebeer over to > ya... ;-) You're welcome! Don't worry about the beer, I'd only consider a real promise if it involved chocolate :D Regards, Daniel -- http://mail.python.org/mailman/listinfo/python-list
