[Python-Dev] Improved evaluator added to ast module

[Benjamin Peterson]

2012/10/11 Vinay Sajip <vinay_sajip at yahoo.co.uk>:
> In response to http://bugs.python.org/issue15452, I've created an improved
> evaluator in the ast module in my sandbox repo. The evaluator supports lookup of
> names in a supplied namespace. The basic interface is
>
> def lookup_eval(source_string_or_ast_node, namespace, allow_imports=False):
>    # perform limited evaluation of Python expressions
>
> Function calls are not allowed in expressions, but the following are:
>
> * Names (looked up in namespace, and imported if not found there and
>   allow_imports is True)
> * Literals, just as literal_eval() does
> * Array indexing and slicing
> * Attribute access
> * Arithmetic operators
> * Bitwise operators
> * Comparison operators
> * in / not in
> * and / or
> * Unary operators

With this operations, you can still cause a lot of trouble.

>
> The patch is attached to the issue, and includes changes to replace the use
> of eval() by logging.config.fileConfig() to use ast.lookup_eval().
>
> I would welcome review of the patch, particularly as there may be security
> implications (the issue is titled "Improve the security model for logging
> listener").

What exactly are you trying to prevent?


-- 
Regards,
Benjamin