[Zope] python script, from string to dictionary.
Dieter Maurer
dieter at handshake.de
Fri Feb 8 16:03:50 EST 2008
Chris Withers wrote at 2008-2-8 11:14 +0000:
>Dieter Maurer wrote:
>> It is easy to secure "eval":
>>
>> globs = {'__builtins__':{}}
>> eval(s, globs, globs)
>>
>> This ensures that "eval" cannot use any builtin functions --
>> especially, it cannot import anything.
>
>I'm fairly sure this isn't enough
That you are fairly sure is not enough -- unless you
show me an exploit....
>- google for the bugs in python's
>rexec and bastion modules which lead to them being deprecated...
I speak only about "eval" (not "exec" or "rexec" nor "bastion").
In the "eval" world, you only have expressions.
And with the "__builtins__" above, you have no builtin functions,
no classes, no types -- you have just the literals the parser
can recognize: strings, integer, float, None, lists, tuples,
dicts, generators and the typical operators on them.
You are able to construct huge objects and can cause denial of service.
But this is possible even without "eval"....
--
Dieter
More information about the Zope
mailing list