Chris Angelico wrote:
> On Thu, Aug 18, 2011 at 5:09 PM, John Gordon <gor...@panix.com> wrote:
>> for x in list_of_strings:
>> list_of_variables.append(eval(x))
>>
>
> If this really is what you need, you can simplify it by using the
> globals() dictionary - it's a regular dictionary whose contents are
> all the global variables in your current module. Inside a function,
> use locals() instead.
You can use locals outside of a function too, because it just returns
globals().
Lookup of names in locals/globals is much safer than eval, particularly if
there is any risk that the list of names comes from an untrusted or
potentially hostile source.
list_of_strings = ['red', 'blue',
'__import__("os").system("echo I just p0wned your system")',
'green', 'yellow']
(The simplest way out of a billion to cause grief.)
Code injection attacks are the first and second most common form of security
vulnerability, ahead of even buffer overflows. Please don't add to the
list.
http://cwe.mitre.org/top25/?2011
(Oh, and if you think that protecting against code injection attacks while
still using eval or exec is simple, please step away from the keyboard.)
--
Steven
--
http://mail.python.org/mailman/listinfo/python-list
