Safe eval of insecure strings containing Python data structures?

**George Sakkis** · Oct 9 '08, 01:35 AM

Re: Safe eval of insecure strings containing Python data structures?

On Oct 8, 8:34 pm, "Warren DeLano" <war...@delsci. comwrote:

I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form:
>
# For example, given a "config.txt " such as:
>
{
'my_atom' : 1.20,
'my_dict' : { 2:50 , 'hi':'mom'},
'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ]
>
}
>
# I would like to do something like this:
>
empty_space = {'__builtins__' : {}}
>
try:
config = eval(open("conf ig.txt").read() , empty_space, empty_space)
except:
config = {}
>
print config
>
# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...
>
So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?
>
Thanks in advance for any pointers!

This topic comes up every other month or so in this list, so if you
had taken a minute to search for "python safe eval" or a variation
thereof in your favorite search engine, you'd get more than enough
pointers.

George

**Aaron \Castironpi\ Brady** · Oct 9 '08, 04:15 AM

Re: Safe eval of insecure strings containing Python data structures?

On Oct 8, 7:34 pm, "Warren DeLano" <war...@delsci. comwrote:

I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form:
>

....

# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...
>
So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?
>
Thanks in advance for any pointers!
>
Cheers,
Warren

As mentioned, I don't know if everything has been tried or how secure
what attempts have been. I haven't seen this one:

Python 2.6 (r26:66721, Oct 2 2008, 11:35:03) [MSC v.1500 32 bit
(Intel)] on win
32
Type "help", "copyright" , "credits" or "license" for more information.

>>del __builtins__
>>a= [ x for x in (1).__class__._ _bases__[0].__subclasses__ () if x.__name__==

'file' ][ 0 ]

>>a

>>a('abc.txt',' w')

Traceback (most recent call last):
File "<stdin>", line 1, in <module>
IOError: file() constructor not accessible in restricted mode

>>import os

Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: __import__ not found

So, at least one of the newsgroup favorites is gone. Take a shot
though! Maybe a variant would be sufficient. No warranty.

**franck** · Oct 9 '08, 12:25 PM

Re: Safe eval of insecure strings containing Python data structures?

I would like to parse arbitrary insecure text string containing nested

Python data structures in eval-compatible form:

Python 2.6 has ast.literal_eva l to do exactly this. It handle lists,
tuples, dict, numbers, strings, bool and None, with arbitrary nesting.

Cheers,
Franck

Safe eval of insecure strings containing Python data structures?

Safe eval of insecure strings containing Python data structures?

Comment

Comment

Comment