Saturday, November 29, 2014

Why not to use Python's 'eval' in a public service calculator

Here's a fun write-up on python eval security issues:

http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html

Basically, even if you try to restrict access to any and all functions and classes, you can use lambda functions and introspection to get a huge amount of access.

The most fun example in the write-up is

().__class__.__bases__[0].__subclasses__()



This gives a list of all classes instantiated to that point in the program.

No comments:

Post a Comment