Reputation: 32755
Using eval securely to execute functions
def myFunc(arg1, arg2):
print "This is a test with " + arg1 + " and " + arg2
while (input != "quit"):
input = raw_input("> ")
if input != "quit":
eval(input)
This code gives me a prompt, allowing me to invoke myFunc with parameters I want. I know that eval can be dangerous if a dictionary is not supplied, so I added this:
eval(input, {"__builtins__": {} }
Now I can no longer invoke myFunc. How do I fix this without leaving eval open to exploits?
Upvotes: 2
Views: 1285
Answers (3)
Reputation: 375484
If you need a demonstration of how eval is still dangerous even with the builtins removed, see this: Eval really is dangerous. There are examples there of segfaulting the CPython interpreter, or of exiting it directly.
Upvotes: 0
Reputation: 11438
This will allow you to use myFunc:
eval(input, {"__builtins__": {}, "myFunc": myFunc})
However, as others have pointed out, using eval is inherently insecure, and still vulnerabe to exploits.
Upvotes: 1
Reputation: 76663
Your question, "How do I fix this without leaving eval open to exploits?", isn't the right one—eval is vulnerable to exploits, period. Not introducing __builtins__ into the global namespace of the evaluated code does not make the __builtin__ module impossible to access, and it doesn't close off other points of entry.
If you explained more about the problem you are trying to solve, someone may be able to suggest a secure option to accomplish your goals.
Upvotes: 1
Related Questions
- Is this a safe way to use eval() in python?
- Is there a way to secure strings for Python's eval?
- Executing code through python eval
- Security of Python's eval() on untrusted strings?
- Safe use of eval() or alternatives - python
- Execute operations given by the user with(out) eval()
- How safe is expression evaluation using eval?
- Is "safe_eval" really safe?
- Is this a safe use of python eval()?
- Parsing, securing python expression before passing it to eval()