SEC: UNCLASSIFIED RE: [Python-au] String Casting

Ogawa, Taro MR Taro.Ogawa at defence.gov.au
Tue Mar 29 06:08:02 CEST 2005


Tony McGee writes:
> However, if the source of the string is untrusted then using
> eval() can allow execution of arbitrary code. The original post
> mentions that the string is 'posted to my python program (which
> I cant control)'

True, but it's not evalling the raw string, but a string containing the raw
string, which should be safe providing that you're getting a vanilla raw
string... If you're getting an object which can overload (say) its __str__()
method, then of course eval is unsafe, but then so is every other method
provided since __getattribute__() can be overloaded (and if you overload
__iter__() then even stepping through and attempting to build a new string
character by character is insecure).

-T.

----
Taro Ogawa
Staff Officer (Record of Training and Employment)
Record of Training and Employment Office
Naval Personnel and Training Centre - Canberra
CP4-2-161
DEPARTMENT OF DEFENCE
CANBERRA   ACT   2612
Phone: (02) 6266 4535
Fax:   (02) 6266 2185
Email: Taro.Ogawa at defence.gov.au

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the Crimes
Act 1914. If you have received this e-mail in error, you are requested to
contact the sender and delete the e-mail 




More information about the python-au mailing list