On 21/05/2013 04:39, matt.newvi...@gmail.com wrote:
You might find the asteval module (https://pypi.python.org/pypi/asteval) useful. It provides a relatively safe "eval", for example: >>> import asteval >>> a = asteval.Interpreter() >>> a.eval('x = "abc"') >>> a.eval('x in ("abc", "xyz")') True >>> a.eval('import os') NotImplementedError import os 'Import' not supported >>> a.eval('__import__("os")') NameError __import__("os") name '__import__' is not defined This works by maintaining an internal namespace (a flat dictionary), and walking the AST generated for the expression. It supports most Python syntax, including if, for, while, and try/except blocks, and function definitions, and with the notable exceptions of eval, exec, class, lambda, yield, and import. This requires Python2.6 and higher, and does work with Python3.3. Of course, it is not guaranteed to be completely safe, but it does disallow imports, which seems like the biggest vulnerability concern listed here. Currently, there is no explicit protection against long-running calculations for denial of service attacks. If you're exposing an SQL database to user-generated code, that may be worth considering.
Thanks for this, Matt. I will definitely look into it. Frank -- http://mail.python.org/mailman/listinfo/python-list
