Databases
StackOverflow2013
Postsdbo
POHow safe is expression evaluation using eval?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow safe is expression evaluation using eval?
    primarykey
    data
    text
    <p>I am building a website where I have a need that user should be able to evaluate some expression based from the value in DB tables, instead of using tools like pyparsing etc, I am thinking of using python itself, and have come up with a solution which is sufficient for my purpose. I am basically using eval to evaluate the expression and passing globals dict with empty <code>__builtins__</code> so that nothing can be accessed and a locals dict for values from DB, if user will need some functions I can pass those too e.g.</p> <pre><code>import datetime def today(): return datetime.datetime.now() expression = """ first_name.lower() == "anurag" and today().year == 2010 """ print eval(expression, {'__builtins__':{}}, {'first_name':'Anurag', 'today':today}) </code></pre> <p>So my question is how safe it would be , I have three criteria</p> <ol> <li>Can user access current state of my program or table etc someshow?</li> <li>Can user have access to os level calls?</li> <li>Can user halt my system by looping or using much memory e.g. by doing range(10*8), in some cases he can e.g 100**1000 etc so 3 is not so much of a problem. i may check such op with tokenize and anyway I will be using GAE so it is not not much of concern.</li> </ol> <p><strong>Edit</strong>: IMO this is not the duplicate of <a href="https://stackoverflow.com/questions/661084/security-of-pythons-eval-on-untrusted-strings">Q:661084</a> because where it ends this one starts, I want to know even with <code>__builtins__</code> blocked, can user do bad things?</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USAnurag Uniyal
    plurals
    1. PL
      singulars
      1. LTLinked
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow safe is expression evaluation using eval?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POHow safe is expression evaluation using eval?
      1. USunutbu
      1. VTFavorite
    3. VO
      singulars
      1. POHow safe is expression evaluation using eval?
      1. This table or related slice is empty.
      1. VTUpMod
    1. COCheck: http://stackoverflow.com/questions/661084/security-of-pythons-eval-on-untrusted-strings
      singulars
      1. POHow safe is expression evaluation using eval?
      1. USfserb
    2. CO@fserb see edit
      singulars
      1. POHow safe is expression evaluation using eval?
      1. USAnurag Uniyal
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload