On 2020-01-19 7:53 PM, Paul Moore wrote:
On Sun, 19 Jan 2020 at 17:45, <mus...@posteo.org> wrote:
Is it actually possible to build a "sandbox" around eval, permitting it
only to do some arithmetic and use some math functions, but no
filesystem acces or module imports?
If you require safety, you really need to write your own parser/evaluator.
I have written a simple parser/evaluator that is sufficient for my
simple requirements, and I thought I was safe.
Then I saw this comment in a recent post by Robin Becker of ReportLab -
"avoiding simple things like ' '*(10**200) seems quite difficult"
I realised that my method is vulnerable to this and, like Robin, I have
not come up with an easy way to guard against it.
Frank Millman
--
https://mail.python.org/mailman/listinfo/python-list
