2012/10/11 Vinay Sajip <vinay_sajip at yahoo.co.uk>: > In response to http://bugs.python.org/issue15452, I've created an improved > evaluator in the ast module in my sandbox repo. The evaluator supports lookup of > names in a supplied namespace. The basic interface is > > def lookup_eval(source_string_or_ast_node, namespace, allow_imports=False): > # perform limited evaluation of Python expressions > > Function calls are not allowed in expressions, but the following are: > > * Names (looked up in namespace, and imported if not found there and > allow_imports is True) > * Literals, just as literal_eval() does > * Array indexing and slicing > * Attribute access > * Arithmetic operators > * Bitwise operators > * Comparison operators > * in / not in > * and / or > * Unary operators With this operations, you can still cause a lot of trouble. > > The patch is attached to the issue, and includes changes to replace the use > of eval() by logging.config.fileConfig() to use ast.lookup_eval(). > > I would welcome review of the patch, particularly as there may be security > implications (the issue is titled "Improve the security model for logging > listener"). What exactly are you trying to prevent? -- Regards, Benjamin
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4