[Zope] python script, from string to dictionary.
Chris Withers
chris at simplistix.co.uk
Mon Feb 11 08:54:49 EST 2008
Dieter Maurer wrote:
>> - google for the bugs in python's
>> rexec and bastion modules which lead to them being deprecated...
>
> I speak only about "eval" (not "exec" or "rexec" nor "bastion").
> In the "eval" world, you only have expressions.
> And with the "__builtins__" above, you have no builtin functions,
> no classes, no types -- you have just the literals the parser
> can recognize: strings, integer, float, None, lists, tuples,
> dicts, generators and the typical operators on them.
I suggest you actually follow your own usual advice and do some
searching, it's never that simple, as you'll see from the bugs people
have encountered with rexec and bastion ;-)
But, for clarity and for the lazy, here's Toby's example of how to get
at some interesting classes without using aything but the exec
environment you described:
{}.__class__.__bases__[0].__subclasses__()
I know Toby wanted to keep that off-list but I think it's important that
people understand just how unsafe it is to exec anything you can't 100%
trust.
I have an addage that "there's always something better than exec" and I
haven't been proved wrong yet...
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope
mailing list