Dan Bishop wrote:
> Simon Brunning wrote:
>> [...]
>
> Or if you do use eval, don't give it access to any names.
>
>> [...]
> os.system("rm -rf *")
> Traceback (most recent call last):
> File "<stdin>", line 1, in ?
> File "<string>", line 0, in ?
> NameError: name 'os' is not defined
>
Have you tried giving it the string '__import__("os").system("rm -rf *")'?
[Don't try that at home children!]
Even if you take steps to avoid that working by hiding the builtins, there
are still too many ways to do nasty things with eval for it ever to be
safe.
--
http://mail.python.org/mailman/listinfo/python-list
