[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sandboxing eval()

On 2020-01-21 3:14 PM, inhahe wrote:
>> I have written a simple parser/evaluator that is sufficient for my
>> simple requirements, and I thought I was safe.
>> Then I saw this comment in a recent post by Robin Becker of ReportLab -
>>       "avoiding simple things like ' '*(10**200) seems quite difficult"
>> I realised that my method is vulnerable to this  and, like Robin, I have
>> not come up with an easy way to guard against it.
>> Frank Millman
> Just use floats instead of integers.

I like that idea. I will probably use Decimal instead of float, but the 
principle is the same.

Thanks for the suggestion.