On Apr 10, 7:54 pm, Steven D'Aprano <st...@remove-this- cybersource.com.au> wrote: > On Thu, 09 Apr 2009 13:13:50 -0400, Terry Reedy wrote: > > Joel Hedlund wrote: > >> Hi all! > > >> I'm writing a program that presents a lot of numbers to the user, and I > >> want to let the user apply moderately simple arithmentics to these > >> numbers. One possibility that comes to mind is to use the eval > >> function, but since that sends up all kinds of warning flags in my > >> head, > > > Where does the program execute? If on the user's own machine, no > > problem. > > Until the user naively executes a code sample he downloaded from the > Internet, and discovers to his horror that his *calculator* is able to > upload his banking details to an IRC server hosted in Bulgaria.
Mine does that anyway! ..Often without telling anyone. > > How quickly we forget... for twenty or thirty years all malware > infections was via programs executed on the user's own machine. > > > Eval is no more dangerous than Python itself. > > But users know Python is a Turing-complete programming language that can > do anything their computer can do. It would come to an unpleasant > surprise to discover that (say) your icon editor was also a Turing- > complete programming language capable of doing anything your C-compiler > could do. The same holds for applications written in Python. Don't they know that his calculator is written in Python? Do many applications include a programming language? Why do I get the feeling that the authors of 'pyparsing' are out of breath? I wonder if you could do something like copy and paste a "fork" of the 'ast' module, and just remove non-arithmetic classes; then do a normal walk and transform of the foreign code... -- http://mail.python.org/mailman/listinfo/python-list
