headers
Fett | 28 Aug 23:47

eval() == evil? --- How to use it safely?

I am creating a program that requires some data that must be kept up
to date. What I plan is to put this data up on a web-site then have
the program periodically pull the data off the web-site.

My problem is that when I pull the data (currently stored as a
dictionary on the site) off the site, it is a string, I can use eval()
to make that string into a dictionary, and everything is great.
However, this means that I am using eval() on some string on a web-
site, which seems pretty un-safe.

I read that by using eval(code,{"__builtins__":None},{}) I can prevent
them from using pretty much anything, and my nested dictionary of
strings is still allowable. What I want to know is:

What are the dangers of eval?
- I originally was using exec() but switched to eval() because I
didn't want some hacker to be able to delete/steal files off my
clients computers. I assume this is not an issue with eval(), since
eval wont execute commands.
- What exactly can someone do by modifying my code string in a command
like: thing = eval(code{"__builtins__":None},{}), anything other than
assign their own values to the object thing?
--
http://mail.python.org/mailman/listinfo/python-list
Permalink | Reply |
headers
Bruno Desthuilliers | 28 Aug 21:57

Re: eval() == evil? --- How to use it safely?

Fett a écrit :
> I am creating a program that requires some data that must be kept up
> to date. What I plan is to put this data up on a web-site then have
> the program periodically pull the data off the web-site.
> 
> My problem is that when I pull the data (currently stored as a
> dictionary on the site) off the site, it is a string, I can use eval()

Short answer: use json as the format for data transfer.
--
http://mail.python.org/mailman/listinfo/python-list
Permalink | Reply |
headers
Jean-Paul Calderone | 29 Aug 00:02

Re: eval() == evil? --- How to use it safely?

On Thu, 28 Aug 2008 14:51:57 -0700 (PDT), Fett <fettmanchu <at> gmail.com> wrote:
>I am creating a program that requires some data that must be kept up
>to date. What I plan is to put this data up on a web-site then have
>the program periodically pull the data off the web-site.
>
>My problem is that when I pull the data (currently stored as a
>dictionary on the site) off the site, it is a string, I can use eval()
>to make that string into a dictionary, and everything is great.
>However, this means that I am using eval() on some string on a web-
>site, which seems pretty un-safe.
>
>I read that by using eval(code,{"__builtins__":None},{}) I can prevent
>them from using pretty much anything, and my nested dictionary of
>strings is still allowable. What I want to know is:
>
>What are the dangers of eval?
>- I originally was using exec() but switched to eval() because I
>didn't want some hacker to be able to delete/steal files off my
>clients computers. I assume this is not an issue with eval(), since
>eval wont execute commands.
>- What exactly can someone do by modifying my code string in a command
>like: thing = eval(code{"__builtins__":None},{}), anything other than
>assign their own values to the object thing?

eval and exec are the same.  Don't use either with strings from a web page.
Try using a simple format for you data, such as CSV.

Jean-Paul
--
http://mail.python.org/mailman/listinfo/python-list
(Continue reading)

Permalink | Reply |
headers
Guilherme Polo | 29 Aug 00:09
Gravatar

Re: eval() == evil? --- How to use it safely?

On Thu, Aug 28, 2008 at 6:51 PM, Fett <FettManChu <at> gmail.com> wrote:
> I am creating a program that requires some data that must be kept up
> to date. What I plan is to put this data up on a web-site then have
> the program periodically pull the data off the web-site.
>
> My problem is that when I pull the data (currently stored as a
> dictionary on the site) off the site, it is a string, I can use eval()
> to make that string into a dictionary, and everything is great.
> However, this means that I am using eval() on some string on a web-
> site, which seems pretty un-safe.
>
> I read that by using eval(code,{"__builtins__":None},{}) I can prevent
> them from using pretty much anything, and my nested dictionary of
> strings is still allowable. What I want to know is:
>
> What are the dangers of eval?
> - I originally was using exec() but switched to eval() because I
> didn't want some hacker to be able to delete/steal files off my
> clients computers. I assume this is not an issue with eval(), since
> eval wont execute commands.
> - What exactly can someone do by modifying my code string in a command
> like: thing = eval(code{"__builtins__":None},{}), anything other than
> assign their own values to the object thing?

By "disabling" __builtins__ you indeed cut some obvious tricks, but
someone still could send you a string like "10 ** 10 ** 10".

> --
> http://mail.python.org/mailman/listinfo/python-list
>
(Continue reading)

Permalink | Reply |
headers
James Matthews | 29 Aug 01:21

Re: eval() == evil? --- How to use it safely?

I had an issue once that i was getting true and false statements in text and needed to convert them into Python boolean objects. So i wrote a function to parse the text. and return True or False based on the text.

On Thu, Aug 28, 2008 at 3:09 PM, Guilherme Polo <ggpolo <at> gmail.com> wrote:
On Thu, Aug 28, 2008 at 6:51 PM, Fett <FettManChu <at> gmail.com> wrote:
> I am creating a program that requires some data that must be kept up
> to date. What I plan is to put this data up on a web-site then have
> the program periodically pull the data off the web-site.
>
> My problem is that when I pull the data (currently stored as a
> dictionary on the site) off the site, it is a string, I can use eval()
> to make that string into a dictionary, and everything is great.
> However, this means that I am using eval() on some string on a web-
> site, which seems pretty un-safe.
>
> I read that by using eval(code,{"__builtins__":None},{}) I can prevent
> them from using pretty much anything, and my nested dictionary of
> strings is still allowable. What I want to know is:
>
> What are the dangers of eval?
> - I originally was using exec() but switched to eval() because I
> didn't want some hacker to be able to delete/steal files off my
> clients computers. I assume this is not an issue with eval(), since
> eval wont execute commands.
> - What exactly can someone do by modifying my code string in a command
> like: thing = eval(code{"__builtins__":None},{}), anything other than
> assign their own values to the object thing?

By "disabling" __builtins__ you indeed cut some obvious tricks, but
someone still could send you a string like "10 ** 10 ** 10".

> --
> http://mail.python.org/mailman/listinfo/python-list
>


--
-- Guilherme H. Polo Goncalves



--
http://www.goldwatches.com/
--
http://mail.python.org/mailman/listinfo/python-list
Permalink | Reply |
headers
James Mills | 29 Aug 01:38

Re: eval() == evil? --- How to use it safely?

Hi,

If you cannot use a simple data structure/format
like JSON, or CSV, or similar, _don't_
use eval or exec, but use the pickle
libraries instead. This is much safer.

cheers
James

On Fri, Aug 29, 2008 at 7:51 AM, Fett <FettManChu <at> gmail.com> wrote:
> I am creating a program that requires some data that must be kept up
> to date. What I plan is to put this data up on a web-site then have
> the program periodically pull the data off the web-site.
>
> My problem is that when I pull the data (currently stored as a
> dictionary on the site) off the site, it is a string, I can use eval()
> to make that string into a dictionary, and everything is great.
> However, this means that I am using eval() on some string on a web-
> site, which seems pretty un-safe.
>
> I read that by using eval(code,{"__builtins__":None},{}) I can prevent
> them from using pretty much anything, and my nested dictionary of
> strings is still allowable. What I want to know is:
>
> What are the dangers of eval?
> - I originally was using exec() but switched to eval() because I
> didn't want some hacker to be able to delete/steal files off my
> clients computers. I assume this is not an issue with eval(), since
> eval wont execute commands.
> - What exactly can someone do by modifying my code string in a command
> like: thing = eval(code{"__builtins__":None},{}), anything other than
> assign their own values to the object thing?
> --
> http://mail.python.org/mailman/listinfo/python-list
>

--

-- 
--
-- "Problems are solved by method"
--
http://mail.python.org/mailman/listinfo/python-list
Permalink | Reply |
headers
castironpi | 29 Aug 01:42

Re: eval() == evil? --- How to use it safely?

On Aug 28, 4:51 pm, Fett <FettMan...@gmail.com> wrote:
> I am creating a program that requires some data that must be kept up
> to date. What I plan is to put this data up on a web-site then have
> the program periodically pull the data off the web-site.
>
> My problem is that when I pull the data (currently stored as a
> dictionary on the site) off the site, it is a string, I can use eval()
> to make that string into a dictionary, and everything is great.
> However, this means that I am using eval() on some string on a web-
> site, which seems pretty un-safe.

May I suggest PyYAML?
--
http://mail.python.org/mailman/listinfo/python-list
Permalink | Reply |
headers
rustom | 3 Sep 12:10

Re: eval() == evil? --- How to use it safely?

On Aug 29, 4:42 am, castironpi <castiro...@gmail.com> wrote:

> May I suggest PyYAML?

I second that.

Yaml is very pythonic (being indentation based) and pyyaml is sweet.

Only make sure you use safe_load not load and you will have only
default construction for standard python objects -- lists,
dictionaries and 'atomic' things so no arbitrary code can be executed.

Someone else suggested json which is about the same as yml if there
are no objects. And by using safe_load you are not using objects.
--
http://mail.python.org/mailman/listinfo/python-list
Permalink | Reply |
headers
Steven D'Aprano | 29 Aug 02:12

Re: eval() == evil? --- How to use it safely?

On Thu, 28 Aug 2008 14:51:57 -0700, Fett wrote:

> I read that by using eval(code,{"__builtins__":None},{}) I can prevent
> them from using pretty much anything, 

No, it can prevent them from some obvious dangers, but not all obvious 
dangers and possibly not unobvious ones.

> and my nested dictionary of
> strings is still allowable. What I want to know is:
> 
> What are the dangers of eval?

You're executing code on your server that was written by arbitrary and 
untrusted people over the Internet.

> - I originally was using exec() but switched to eval() because I didn't
> want some hacker to be able to delete/steal files off my clients
> computers. I assume this is not an issue with eval(), since eval wont
> execute commands.

Bare eval() certainly can:

eval('__import__("os").system("ls *")')  # or worse...

eval() with the extra arguments given makes that sort of thing harder, 
but does it make it impossible? Are you willing to bet your server on it?

> - What exactly can someone do by modifying my code string in a command
> like: thing = eval(code{"__builtins__":None},{}), anything other than
> assign their own values to the object thing?

They can cause an exception:

code = '0.0/0.0'
thing = eval(code, {"__builtins__": None}, {})

They can cause a denial of service attack:

code = '10**10**10'

They can feed you bad data:

code = "{ 'akey': 'Something You Don\'t Expect' }"

You have to deal with bad data no matter what you do, but why make it 
easy for them to cause exceptions?

BTW, in case you think that you only have to deal with malicious attacks, 
you also have to deal with accidents caused by incompetent users.

--

-- 
Steven
--
http://mail.python.org/mailman/listinfo/python-list
Permalink | Reply |
headers
Paul Rubin | 29 Aug 02:57

Re: eval() == evil? --- How to use it safely?

Fett <FettManChu <at> gmail.com> writes:
> However, this means that I am using eval() on some string on a web-
> site, which seems pretty un-safe.

Don't even think of doing that.

> I read that by using eval(code,{"__builtins__":None},{})

It is not reliable enough.  Don't use eval for this AT ALL.

> - I originally was using exec() but switched to eval() 

For this purpose there is no difference between exec and eval.

Use something like simpleson or cjson instead.
--
http://mail.python.org/mailman/listinfo/python-list
Permalink | Reply |
headers
mario | 3 Sep 09:28

Re: eval() == evil? --- How to use it safely?

On Aug 28, 11:51 pm, Fett <FettMan...@gmail.com> wrote:
> I am creating a program that requires some data that must be kept up
> to date. What I plan is to put this data up on a web-site then have
> the program periodically pull the data off the web-site.
>
> My problem is that when I pull the data (currently stored as a
> dictionary on the site) off the site, it is a string, I can use eval()
> to make that string into a dictionary, and everything is great.
> However, this means that I am using eval() on some string on a web-
> site, which seems pretty un-safe.
>
> I read that by using eval(code,{"__builtins__":None},{}) I can prevent
> them from using pretty much anything, and my nested dictionary of
> strings is still allowable. What I want to know is:
>
> What are the dangers of eval?
> - I originally was using exec() but switched to eval() because I
> didn't want some hacker to be able to delete/steal files off my
> clients computers. I assume this is not an issue with eval(), since
> eval wont execute commands.
> - What exactly can someone do by modifying my code string in a command
> like: thing = eval(code{"__builtins__":None},{}), anything other than
> assign their own values to the object thing?

If you like to look at a specific attempt for making eval() safe(r)
take a look at how the **eval-based** Evoque Templating engine does
it, for which a short overview is here:
http://evoque.gizmojo.org/usage/restricted/

While it does not provide protection against DOS type attacks, it
should be safe against code that tries to pirate tangible resources
off your system, such as files and disk. Actually, any problems anyone
may find are greatly appreciated...
--
http://mail.python.org/mailman/listinfo/python-list
Permalink | Reply |

Gmane