[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sandboxing eval()

On 2020-01-19 7:53 PM, Paul Moore wrote:
> On Sun, 19 Jan 2020 at 17:45, <musbur at> wrote:
>> Is it actually possible to build a "sandbox" around eval, permitting it
>> only to do some arithmetic and use some math functions, but no
>> filesystem acces or module imports?
> If you require safety, you really need to write your own parser/evaluator.

I have written a simple parser/evaluator that is sufficient for my 
simple requirements, and I thought I was safe.

Then I saw this comment in a recent post by Robin Becker of ReportLab -

     "avoiding simple things like ' '*(10**200) seems quite difficult"

I realised that my method is vulnerable to this  and, like Robin, I have 
not come up with an easy way to guard against it.

Frank Millman