Re: Safe eval of insecure strings containing Python data structures?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Lie Ryan
    #1

    Re: Safe eval of insecure strings containing Python data structures?

    On Thu, 09 Oct 2008 13:26:17 +0100, Orestis Markou wrote:
    The ast module in 2.6 has something...
    >
    in python 2.6, ast.literal_eva l may be used to replace eval() for
    literals. It does not accepts statements and function calls, i.e.:
    >>a = set([1, 2, 3])
    >>repr(a)
    set([1, 2, 3])
    >>ast.literal_e val(repr(a))
    Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/local/lib/python2.6/ast.py", line 67, in literal_eval
    return _convert(node_o r_string)
    File "/usr/local/lib/python2.6/ast.py", line 66, in _convert
    raise ValueError('mal formed string')
    ValueError: malformed string

    Tags: None
    • Paul Rubin
      #2
      Re: Safe eval of insecure strings containing Python data structures?

      Lie Ryan <lie.1296@gmail .comwrites:
      in python 2.6, ast.literal_eva l may be used to replace eval() for
      literals.
      What happens on literal_eval('[1]*999999999') ?

        Comment

        • Jason Scheirer
          #3
          Re: Safe eval of insecure strings containing Python data structures?

          On Oct 9, 9:01 am, Paul Rubin <http://phr...@NOSPAM.i nvalidwrote:
          Lie Ryan <lie.1...@gmail .comwrites:
          in python 2.6, ast.literal_eva l may be used to replace eval() for
          literals.
          >
          What happens on literal_eval('[1]*999999999') ?
          The documentation clearly states that it will fail to evaluate and
          raise a ValueError because there is an operation in the statement. 5*5
          is NOT the literal 25, it is the equivalent to operator.mul(5, 5), and
          the same is true to []*x

            Comment

            • Aaron \Castironpi\ Brady
              #4
              Re: Safe eval of insecure strings containing Python data structures?

              On Oct 9, 1:44 pm, Jason Scheirer <jason.schei... @gmail.comwrote :
              On Oct 9, 9:01 am, Paul Rubin <http://phr...@NOSPAM.i nvalidwrote:
              >
              Lie Ryan <lie.1...@gmail .comwrites:
              in python 2.6, ast.literal_eva l may be used to replace eval() for
              literals.
              >
              What happens on literal_eval('[1]*999999999') ?
              >
              The documentation clearly states that it will fail to evaluate and
              raise a ValueError because there is an operation in the statement. 5*5
              is NOT the literal 25, it is the equivalent to operator.mul(5, 5), and
              the same is true to []*x
              Kudos to author on creating this function!

                Comment

                • Terry Reedy
                  #5
                  Re: Safe eval of insecure strings containing Python data structures?

                  Paul Rubin wrote:
                  Lie Ryan <lie.1296@gmail .comwrites:
                  >in python 2.6, ast.literal_eva l may be used to replace eval() for
                  >literals.
                  >
                  What happens on literal_eval('[1]*999999999') ?
                  Easy to try. Since it is not a literal or display,
                  ValueError: malformed string, just as with set({1,2,3])
                  >>[1]*999999999 # or
                  >>eval('[1]*999999999') # give a quick MemoryError

                    Comment

                    Previous template Next
                    Working...