On 2020-01-19 7:53 PM, Paul Moore wrote:
> On Sun, 19 Jan 2020 at 17:45, <musbur at posteo.org> wrote:
>> Is it actually possible to build a "sandbox" around eval, permitting it
>> only to do some arithmetic and use some math functions, but no
>> filesystem acces or module imports?
> If you require safety, you really need to write your own parser/evaluator.
I have written a simple parser/evaluator that is sufficient for my
simple requirements, and I thought I was safe.
Then I saw this comment in a recent post by Robin Becker of ReportLab -
"avoiding simple things like ' '*(10**200) seems quite difficult"
I realised that my method is vulnerable to this and, like Robin, I have
not come up with an easy way to guard against it.