Fredrik Lundh <[EMAIL PROTECTED]> wrote: >Ant wrote: >> It seems that there must be a way to use eval safely, as there are >> plenty of apps that embed python as a scripting language - and what's >> the point of an eval function if impossible to use safely, and you have >> to write your own Python parser!! >embedding python != accepting scripts from anywhere.
And also using eval (or exec or execfile) != accepting scripts from anywhere. You've got to consider where the data can have come from and what (broad) context it's being eval()'d in. Last time I did something like this was with execfile for advanced configuration of a server, and if a hostile party were in a position to inject malicious code into *that* then subversion of our program would be the least of anyone's concern. -- \S -- [EMAIL PROTECTED] -- http://www.chaos.org.uk/~sion/ ___ | "Frankly I have no feelings towards penguins one way or the other" \X/ | -- Arthur C. Clarke her nu becomeþ se bera eadward ofdun hlæddre heafdes bæce bump bump bump
-- http://mail.python.org/mailman/listinfo/python-list
