Re: Sandboxing eval() (was: Calculator)
> On 19. Jan 2020, at 19:35, mus...@posteo.org wrote: > > Is it actually possible to build a "sandbox" around eval, permitting it > only to do some arithmetic and use some math functions, but no > filesystem acces or module imports? > > I have an application that loads calculation recipes (a few lines of > variable assignments and arithmetic) from a database. > > exec(string, globals, locals) > > with locals containing the input variables, and globals has a > __builtin__ object with a few math functions. It works, but is it safe? https://github.com/danthedeckie/simpleeval Might be a good starting point. Greetings Stephan -- https://mail.python.org/mailman/listinfo/python-list
Re: Sandboxing eval()
On 2020-01-19 7:53 PM, Paul Moore wrote: On Sun, 19 Jan 2020 at 17:45, wrote: Is it actually possible to build a "sandbox" around eval, permitting it only to do some arithmetic and use some math functions, but no filesystem acces or module imports? If you require safety, you really need to write your own parser/evaluator. I have written a simple parser/evaluator that is sufficient for my simple requirements, and I thought I was safe. Then I saw this comment in a recent post by Robin Becker of ReportLab - "avoiding simple things like ' '*(10**200) seems quite difficult" I realised that my method is vulnerable to this and, like Robin, I have not come up with an easy way to guard against it. Frank Millman -- https://mail.python.org/mailman/listinfo/python-list
problem with python 3.8.1
hi I can not install the py launcher and I really need it for something I used repair and tried it again but it still didn't work.Do you know how to fix my issue and if you do please email me back as soon as possible thank you. -- https://mail.python.org/mailman/listinfo/python-list
installation issue.
Hi Team, I am not able to select the path on command prompt. It gives me an error that python is not recognized as an internal or external command. Please help me with this to set up and perform my activities. Regards, Sandesh Kamble Sent from Mail for Windows 10 -- https://mail.python.org/mailman/listinfo/python-list
TensorFlow with 3.8.1
Hello, Hope this email finds you well. I am having an issue with the installation of TensorFlow on python 3.8.1. I want to work on TensorFlow, please let me know how can I install it. Give me the compete guide if possible. Regards Fahad Qayyum -- https://mail.python.org/mailman/listinfo/python-list
Re: installation issue.
On Mon, Jan 20, 2020 at 5:29 AM NIT Application wrote: > > Hi Team, > > I am not able to select the path on command prompt. It gives me an error that > python is not recognized as an internal or external command. > Please help me with this to set up and perform my activities. > > Regards, > Sandesh Kamble > > > Sent from Mail for Windows 10 > > -- > https://mail.python.org/mailman/listinfo/python-list if you are typing something like this: cd /mydir but you are in the python shell, and not to linux shell copy and paste your screen display -- Joel Goldstick http://joelgoldstick.com/blog http://cc-baseballstats.info/stats/birthdays -- https://mail.python.org/mailman/listinfo/python-list
tkinter treeview widget - bind doubleclick to items only ?
Hello all, I've create a treeview, and would (ofcourse) want to register some mouse-clicking on it, and for that I've found the ".bind()" method. https://stackoverflow.com/questions/3794268/command-for-clicking-on-the-items-of-a-tkinter-treeview-widget There is a slight problem with it though: when I click a columns caption (for sorting) the events code also gets fired, which causes problems. I've found that I can connect mouse-click events to the column captions as shown in the second example here in the "self.tree.heading()" call : https://stackoverflow.com/questions/5286093/display-listbox-with-columns-using-tkinter I was wondering if something similar is maybe also available for the items below it ... If not, how do I ignore mouseclicks that are not done on one of the items ? Regards, Rudy Wieser -- https://mail.python.org/mailman/listinfo/python-list
[PyDDF-Ann] ANN: Python Meeting Düsseldorf - 22.01.2020
[This announcement is in German since it targets a local user group meeting in Düsseldorf, Germany] ANKÜNDIGUNG Python Meeting Düsseldorf http://pyddf.de/ Ein Treffen von Python Enthusiasten und Interessierten in ungezwungener Atmosphäre. Mittwoch, 22.01.2020, 18:00 Uhr Raum 1, 2.OG im Bürgerhaus Stadtteilzentrum Bilk Düsseldorfer Arcaden, Bachstr. 145, 40217 Düsseldorf Diese Nachricht ist auch online verfügbar: https://www.egenix.com/company/news/Python-Meeting-Duesseldorf-2020-01-22 NEUIGKEITEN * Bereits angemeldete Vorträge: Christian Hetmann "pipenv" Jens Diemer "Micropython Sonoff Switch" Klaus Bremer "FritzConnection" Klaus Bremer "PyCon DE" Weitere Vorträge können gerne noch angemeldet werden: i...@pyddf.de * Startzeit und Ort: Wir treffen uns um 18:00 Uhr im Bürgerhaus in den Düsseldorfer Arcaden. Das Bürgerhaus teilt sich den Eingang mit dem Schwimmbad und befindet sich an der Seite der Tiefgarageneinfahrt der Düsseldorfer Arcaden. Über dem Eingang steht ein großes "Schwimm' in Bilk" Logo. Hinter der Tür direkt links zu den zwei Aufzügen, dann in den 2. Stock hochfahren. Der Eingang zum Raum 1 liegt direkt links, wenn man aus dem Aufzug kommt. Google Street View: http://bit.ly/11sCfiw EINLEITUNG Das Python Meeting Düsseldorf ist eine regelmäßige Veranstaltung in Düsseldorf, die sich an Python Begeisterte aus der Region wendet: * http://pyddf.de/ Einen guten Überblick über die Vorträge bietet unser YouTube-Kanal, auf dem wir die Vorträge nach den Meetings veröffentlichen: * http://www.youtube.com/pyddf/ Veranstaltet wird das Meeting von der eGenix.com GmbH, Langenfeld, in Zusammenarbeit mit Clark Consulting & Research, Düsseldorf: * http://www.egenix.com/ * http://www.clark-consulting.eu/ PROGRAMM Das Python Meeting Düsseldorf nutzt eine Mischung aus (Lightning) Talks und offener Diskussion. Vorträge können vorher angemeldet werden, oder auch spontan während des Treffens eingebracht werden. Ein Beamer mit XGA Auflösung steht zur Verfügung. (Lightning) Talk Anmeldung bitte formlos per EMail an i...@pyddf.de KOSTENBETEILIGUNG Das Python Meeting Düsseldorf wird von Python Nutzern für Python Nutzer veranstaltet. Um die Kosten zumindest teilweise zu refinanzieren, bitten wir die Teilnehmer um einen Beitrag in Höhe von EUR 10,00 inkl. 19% Mwst, Schüler und Studenten zahlen EUR 5,00 inkl. 19% Mwst. Wir möchten alle Teilnehmer bitten, den Betrag in bar mitzubringen. ANMELDUNG Da wir nur für ca. 20 Personen Sitzplätze haben, möchten wir bitten, sich per EMail anzumelden. Damit wird keine Verpflichtung eingegangen. Es erleichtert uns allerdings die Planung. Meeting Anmeldung bitte per Meetup https://www.meetup.com/Python-Meeting-Dusseldorf/ oder formlos per EMail an i...@pyddf.de WEITERE INFORMATIONEN Weitere Informationen finden Sie auf der Webseite des Meetings: http://pyddf.de/ Mit freundlichen Grüßen, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Jan 20 2020) >>> Python Projects, Coaching and Support ...https://www.egenix.com/ >>> Python Product Development ...https://consulting.egenix.com/ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 https://www.egenix.com/company/contact/ https://www.malemburg.com/ -- https://mail.python.org/mailman/listinfo/python-list
Re: problem with python 3.8.1
On 20/01/20 7:35 PM, coolguy 12336 wrote: hi I can not install the py launcher and I really need it for something I used repair and tried it again but it still didn't work.Do you know how to fix my issue and if you do please email me back as soon as possible thank you. Hi, are you a student - if so, where? This is a volunteer community. Help us to help you... Which Operating System? From where are you downloading Python? What did you do (that appeared to work)? What was the error message? -- Regards =dn -- https://mail.python.org/mailman/listinfo/python-list
Re: TensorFlow with 3.8.1
On 20/01/20 6:13 PM, Fahad Qayyum wrote: Hello, Hope this email finds you well. I am having an issue with the installation of TensorFlow on python 3.8.1. I want to work on TensorFlow, please let me know how can I install it. Give me the compete guide if possible. Hi, and welcome to the Python list. This is a volunteer community. Help us to help you... Are you a student - if so, where? Which Operating System? From where are you downloading Python? TensorFlow? What did you do (that appeared to work)? What was the error message? -- Regards =dn -- https://mail.python.org/mailman/listinfo/python-list
Re: installation issue.
On 20/01/20 8:13 PM, NIT Application wrote: Hi Team, I am not able to select the path on command prompt. It gives me an error that python is not recognized as an internal or external command. Please help me with this to set up and perform my activities. Regards, Sandesh Kamble Hi, and welcome to the Python list. This is a volunteer community. Help us to help you... Are you a student - if so, where? Which Operating System? What was the error message? -- Regards =dn -- https://mail.python.org/mailman/listinfo/python-list
Python login screen for MariaDB db
I found this article:
https://www.simplifiedpython.net/python-gui-login/
I used PDO on PHP 7.3 with last MariaDB engine but I'd like to start to
use Python for a local warehouse software, I found the above guide but I
need to understand what I should replace from that guide to link the
script to my MariaDB DB!
I know I need to use this:
#!/usr/bin/python
import MySQLdb
# Open database connection
db = MySQLdb.connect("localhost","root","MyPWD","MyDB")
But after the above code how could I check the login to my user's table?
Regards.
^Bart
--
https://mail.python.org/mailman/listinfo/python-list
Re: Python login screen for MariaDB db
On 21/01/20 8:37 AM, ^Bart wrote:
I found this article:
https://www.simplifiedpython.net/python-gui-login/
I used PDO on PHP 7.3 with last MariaDB engine but I'd like to start to
use Python for a local warehouse software, I found the above guide but I
need to understand what I should replace from that guide to link the
script to my MariaDB DB!
I know I need to use this:
#!/usr/bin/python
import MySQLdb
# Open database connection
db = MySQLdb.connect("localhost","root","MyPWD","MyDB")
But after the above code how could I check the login to my user's table?
Please refer previous response, re 'tutorials' - if the above
credentials fail, then an exception will be raised.
If MariaDB do not provide suitable documentation, then use MySQL's
(Maria was forked from MySQL).
Are you asking for code, or techniques?
--
Regards =dn
--
https://mail.python.org/mailman/listinfo/python-list
Re: tkinter treeview widget - bind doubleclick to items only ?
On 2020-01-20 10:49, R.Wieser wrote:
Hello all,
I've create a treeview, and would (ofcourse) want to register some
mouse-clicking on it, and for that I've found the ".bind()" method.
https://stackoverflow.com/questions/3794268/command-for-clicking-on-the-items-of-a-tkinter-treeview-widget
There is a slight problem with it though: when I click a columns caption
(for sorting) the events code also gets fired, which causes problems.
I've found that I can connect mouse-click events to the column captions as
shown in the second example here in the "self.tree.heading()" call :
https://stackoverflow.com/questions/5286093/display-listbox-with-columns-using-tkinter
I was wondering if something similar is maybe also available for the items
below it ...
If not, how do I ignore mouseclicks that are not done on one of the items ?
You set the event handler for the column headings separately from that
for the items.
Here's an example:
--8<
#!python3.8
# -*- coding: utf-8 -*-
import tkinter as tk
import tkinter.ttk as ttk
class App(tk.Tk):
def __init__(self):
tk.Tk.__init__(self)
self.title('Treeview Example')
self.treeview = ttk.Treeview(self, columns=['#1'],
displaycolumns='#all', show=['headings'])
self.treeview.heading('#1', text='Items', command=lambda iid='#1':
self.on_heading(iid))
self.treeview.bind('', self.on_dclick)
self.treeview.pack(fill='both', expand=True)
for i in range(5):
iid = self.treeview.insert('', 'end')
self.treeview.set(iid, '#1', 'Item %d' % (1 + i))
def on_heading(self, iid):
print('Clicked on column %s' % iid, flush=True)
selection = self.treeview.selection()
print('Selection is %s' % ascii(selection), flush=True)
def on_dclick(self, event):
print('Double-clicked on an item', flush=True)
selection = self.treeview.selection()
print('Selection is %s' % ascii(selection), flush=True)
App().mainloop()
--8<
If you click on the column heading you get:
Clicked on column #1
Selection is ...
If you double-click on, say, item 1, you get:
Double-clicked on an item
Selection is ('I001',)
--
https://mail.python.org/mailman/listinfo/python-list
Re: Python login screen for MariaDB db
Are you asking for code, or techniques? Thanks for your reply! :) I followed the code from the web article but I need to read an example of a login form connected to a MariaDB db! In the web article it's used a file to check data but I need to check data to a table in MariaDB or better how and where should I replace code from the web article! ^Bart -- https://mail.python.org/mailman/listinfo/python-list
Re: Sandboxing eval() (was: Calculator)
On Mon, 20 Jan 2020 06:43:41 +1100 Chris Angelico wrote: > On Mon, Jan 20, 2020 at 4:43 AM wrote: > > It works, but is it safe? > > As such? No. That's what many people have said, and I believe them. But just from a point of technical understanding: If I start with empty global and local dicts, and an empty __builtins__, and I screen the input string so it can't contain the string "import", is it still possible to have "targeted" malicious attacks? Of course by gobbling up memory any script can try and crash the Python interpteter or the whole machine wreaking all sorts of havoc, but by "targeted" I mean accessing the file system or the operating system in a deterministic way. My own Intranet application needs to guard against accidents, not intentionally malicious attacks. > However, there are some elegant hybrid options, where you > can make use of the Python parser to do some of your work, and then > look at the abstract syntax tree. Sounds interesting. All I need is a few lines of arithmetic and variable assignments. Blocking ':' from the input should add some safety, too. > Research the "ast" module for some ideas on what you can do. Will do. -- https://mail.python.org/mailman/listinfo/python-list
Re: Sandboxing eval() (was: Calculator)
On Tue, Jan 21, 2020 at 4:59 PM wrote: > > On Mon, 20 Jan 2020 06:43:41 +1100 > Chris Angelico wrote: > > > On Mon, Jan 20, 2020 at 4:43 AM wrote: > > > It works, but is it safe? > > > > As such? No. > > That's what many people have said, and I believe them. But just from a > point of technical understanding: If I start with empty global and > local dicts, and an empty __builtins__, and I screen the input string > so it can't contain the string "import", is it still possible to have > "targeted" malicious attacks? Of course by gobbling up memory any > script can try and crash the Python interpteter or the whole machine > wreaking all sorts of havoc, but by "targeted" I mean accessing the > file system or the operating system in a deterministic way. You would also need to provide your own __import__ function, because otherwise you can trivially get around it by rewording things a little. And then there are a variety of less easy exploits that generally start by accessing a dunder off some constant. > My own Intranet application needs to guard against accidents, not > intentionally malicious attacks. Hmm. You're going to have to make your own evaluation of risk vs restriction. (And factoring in the effort required. Certain balances of risk/restriction take more effort than others do.) > > However, there are some elegant hybrid options, where you > > can make use of the Python parser to do some of your work, and then > > look at the abstract syntax tree. > > Sounds interesting. All I need is a few lines of arithmetic > and variable assignments. Blocking ':' from the input should add some > safety, too. Cool, in that case it should be possible. But instead of trying to do string sanitization, define your whitelist by Python's operations. (That's what the AST module is for.) So, for instance, you might permit Constant nodes, BinOp (maybe with a restricted set of legal operators), Name, Compare, and maybe a few others, but disallow Attribute. That way, the dot in "2.5" is perfectly legal, but the dot in "(2).5" would be forbidden, as would "2.5.1" (if you evaluate that, what it does is attempt to look up the attribute "1" on the literal float 2.5). Full list of AST nodes: https://docs.python.org/3/library/ast.html#abstract-grammar There are still a few vulnerabilities that this won't protect you from, but they're mostly the "gobbling up memory" sort, and as you mentioned, not an issue on the intranet. Do be aware, though, that exponentiation can result in some pretty big numbers pretty quickly (evaluating 9**9**9 takes. a while). But other than that, this is almost certainly the easiest way to make an expression evaluator that uses Python syntax. Now, if that's insufficient... your next option would probably be to embed some other language, like Lua or JavaScript... ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: tkinter treeview widget - bind doubleclick to items only ?
MRAB,
> self.treeview.bind('', self.on_dclick)
That is what I used. Doubleclicking on the heading caused the "on_dclick"
code to execute, though initially the ".identify()" call in my code returns
an empty ID (no row present at the location I clicked).
That changes when the treeview contents are scrolled up, causing a with a
row to be hidden behind the heading. At that moment doubleclicking the
heading my ".identify()" call in the "on_dclick" code returns the ID of the
row thats hidden behind it. :-(
Shucks, it seems to be even worse:
I just scrolled a row containing children (visible by its prefixed the
to-the-right pointing triangle) behind the heading, and double-clicking the
heading caused that rows children to unfold and fold.
I don't think that that should be happening ... How do I prevent it ?
Regards,
Rudy Wieser
--
https://mail.python.org/mailman/listinfo/python-list
