On Mon, 20 May 2013 10:55:35 +0300, Carlos Nepomuceno wrote:
> I understand your motivation but I don't know what protection
> ast.literal_eval() is offering that eval() doesn't.
eval will evaluate any legal Python expression:
py> eval("__import__('os').system('echo Mwahaha! Now you are pwned!') or 42")
Mwahaha! And now you are pwned!
42
ast.literal_eval() does exactly what the name says: it will evaluate any
legal Python LITERAL, including ints, floats, lists, dicts and strings,
but not arbitrary expressions.
py> ast.literal_eval('123')
123
py> ast.literal_eval('[123, None, "spam"]')
[123, None, 'spam']
--
Steven
--
http://mail.python.org/mailman/listinfo/python-list
