eval(source, {'builtins': {}}) archived as Faq

**Erik Max Francis** · Sep 28 '06, 11:15 PM

Re: eval(source, {'builtins': {}}) archived as Faq

p.lavarre@ieee. org wrote:

Absent from http://www.python.org/doc/current/li...-in-funcs.html
but now copied to the Faq list of http://pyfaq.infogami.com/suggest,
from these clp archives:
>
///
>
Q: How can I tell Python to calculate what quoted strings and numbers
mean, without also accidentally accepting OS commands as input?
>
A: eval(source, {'builtins': {}})
>
Note: What eval may do to you remains as surprising as ever if you
mistype this idiom as: eval(source, {})
>
Note: This idiom makes sense of ordinary Python literals (such as 010,
0x8, 8.125e+0, and "\x45ight") . This idiom also correctly interprets
simple literal expressions, such as 64**0.5.

This is an _extremely_ bad idea. _Never_ use eval in a case where you
are trying to validate input.

>>def e(source): return eval(source, {'builtins': {}})

....

>>e('__import__ ("sys").exit()' )

Oops, the interpreter exited.

Just when you think you've covered all the bases, you haven't.

--
Erik Max Francis && max@alcyone.com && http://www.alcyone.com/max/
San Jose, CA, USA && 37 20 N 121 53 W && AIM, Y!M erikmaxfrancis
A man's life is what his thoughts make it.
-- Marcus Aurelius

**Paul Rubin** · Sep 28 '06, 11:15 PM

Re: eval(source, {'builtins': {}}) archived as Faq

p.lavarre@ieee. org writes:

Q: How can I tell Python to calculate what quoted strings and numbers
mean, without also accidentally accepting OS commands as input?
>
A: eval(source, {'builtins': {}})

That is dangerous. Consider source = "9**9**9". There's a better
recipe on ASPN:

http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/364469

**Duncan Booth** · Sep 29 '06, 07:25 AM

Re: eval(source, {'builtins': {}}) archived as Faq

Erik Max Francis <max@alcyone.co mwrote:

This is an _extremely_ bad idea. _Never_ use eval in a case where you
are trying to validate input.
>

>def e(source): return eval(source, {'builtins': {}})

...

>e('__import__( "sys").exit ()')

>
Oops, the interpreter exited.

I'm slightly surprised that nobody has yet pointed out that the OP failed
at the very first hurdle here. If you are going to do this dangerous trick
then 'builtins' should be spelled '__builtins__':

>>def e(source): return eval(source, {'__builtins__' : {}})

>>e('__import__ ("sys").exit()' )

Traceback (most recent call last):
File "<pyshell#9 >", line 1, in <module>
e('__import__(" sys").exit()')
File "<pyshell#8 >", line 1, in e
def e(source): return eval(source, {'__builtins__' : {}})
File "<string>", line 1, in <module>
NameError: name '__import__' is not defined

>>>

but it is still not going to stop nasty things happening, it just makes
them a little more complex:

>>e("[ c for c in 1 .__class__.__ba ses__[0].__subclasses__ () if

c.__name__=='Qu itter'][0]('bang')()")

**Erik Max Francis** · Sep 29 '06, 07:35 AM

Re: eval(source, {'builtins': {}}) archived as Faq

Duncan Booth wrote:

I'm slightly surprised that nobody has yet pointed out that the OP failed
at the very first hurdle here. If you are going to do this dangerous trick
then 'builtins' should be spelled '__builtins__':

I did, because otherwise the exploit I gave wouldn't have worked so easily.

The bottom line here is that you shouldn't even try to go through the
exercise of seeing if you can bullet-proof a solution using eval;
instead, you shouldn't even try.

--
Erik Max Francis && max@alcyone.com && http://www.alcyone.com/max/
San Jose, CA, USA && 37 20 N 121 53 W && AIM, Y!M erikmaxfrancis
Everyone wants to look good at his own funeral.
-- Louis Wu

eval(source, {'builtins': {}}) archived as Faq

eval(source, {'builtins': {}}) archived as Faq

Comment

Comment

Comment

Comment