On Sep 14, 2009, at 12:09 PM, Mikie wrote:
> Robert,
>
> Can I use your technique above to input this string? The "[5]*3"
> gives me a problem
>
> L1="[3,10,15,23,25,30,3,[5]*3]"
You can, but here you're getting to the point where you're allowing
arbitrary input, not just a list of integers. What about "[1, 2, 3,
[4]*(1<<30)]"? How much memory do you have on your machine?
- Robert
>
>
> On Sep 10, 1:56 pm, Robert Bradshaw <rober...@math.washington.edu>
> wrote:
>> On Sep 10, 2009, at 12:24 PM, Robert Bradshaw wrote:
>>
>>
>>
>>
>>
>>
>>
>>> On Sep 9, 2009, at 9:01 AM, Tim Dumol wrote:
>>
>>>> `eval(the_string, globals = {"__builtins__":None}, locals = {})`
>>>> should do it. This removes access from all functions. Add any
>>>> functions that are needed by adding them to the "locals"
>>>> dictionary.
>>
>>>> As stated in:http://stackoverflow.com/questions/661084/security-of-
>>>> pythons-eval-on-untrusted-strings
>>>> andhttp://lybniz2.sourceforge.net/safeeval.html
>>
>>> Wow, this works, though for much deeper reasons than those given
>>> above.
>>
>>> sage: [].__class__.__subclasses__()
>>> [2].is_mutable.__func__.__globals__
>>> ['__builtins__']
>>> {'ArithmeticError': <type 'exceptions.ArithmeticError'>,
>>> ...
>>> 'zip': <built-in function zip>}
>>
>>> sage: eval("[].__class__.__subclasses__()
>>> [2].is_mutable.__func__.__globals__['__builtins__']",
>>> {"__builtins__":None}, {})
>>> ------------------------------------------------------------
>>> Traceback (most recent call last):
>>> File "<ipython console>", line 1, in <module>
>>> File "<string>", line 1, in <module>
>>> RuntimeError: restricted attribute
>>
>>> Even
>>
>>> sage: eval("[].__class__.__subclasses__()[2]([]).save('foo.txt')",
>>> {"__builtins__": None}, {})
>>> ------------------------------------------------------------
>>> Traceback (most recent call last):
>>> File "<ipython console>", line 1, in <module>
>>> File "<string>", line 1, in <module>
>>> File "sage_object.pyx", line 150, in
>>> sage.structure.sage_object.SageObject.save (sage/structure/
>>> sage_object.c:1894)
>>> IOError: file() constructor not accessible in restricted mode
>>
>>> In short, if globals()['__builtins__'] != __builtins__ it runs in
>>> "Restricted mode" which disallows certain introspections and other
>>> operations. I don't know that it's bullet proof, but it looks pretty
>>> solid.
>>
>> A little googling yielded
>>
>> http://www.dalkescientific.com/writings/diary/archive/2008/03/03/
>> restricted_python.html
>>
>> which is one (of who knows how many) holes in restricted mode.
>>
>> - Robert- Hide quoted text -
>>
>> - Show quoted text -
> >
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to
sage-support-unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/sage-support
URLs: http://www.sagemath.org
-~----------~----~----~----~------~----~------~--~---
