[Python-Dev] Improved evaluator added to ast module (original) (raw)
Benjamin Peterson benjamin at python.org
Thu Oct 11 18:34:52 CEST 2012
- Previous message: [Python-Dev] Improved evaluator added to ast module
- Next message: [Python-Dev] Improved evaluator added to ast module
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
2012/10/11 Vinay Sajip <vinay_sajip at yahoo.co.uk>:
In response to http://bugs.python.org/issue15452, I've created an improved evaluator in the ast module in my sandbox repo. The evaluator supports lookup of names in a supplied namespace. The basic interface is
def lookupeval(sourcestringorastnode, namespace, allowimports=False): # perform limited evaluation of Python expressions Function calls are not allowed in expressions, but the following are: * Names (looked up in namespace, and imported if not found there and allowimports is True) * Literals, just as literaleval() does * Array indexing and slicing * Attribute access * Arithmetic operators * Bitwise operators * Comparison operators * in / not in * and / or * Unary operators
With this operations, you can still cause a lot of trouble.
The patch is attached to the issue, and includes changes to replace the use of eval() by logging.config.fileConfig() to use ast.lookupeval(). I would welcome review of the patch, particularly as there may be security implications (the issue is titled "Improve the security model for logging listener").
What exactly are you trying to prevent?
-- Regards, Benjamin
- Previous message: [Python-Dev] Improved evaluator added to ast module
- Next message: [Python-Dev] Improved evaluator added to ast module
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]