From 8b14d746452a0180675ea6e932c5220a8a6aa48e Mon Sep 17 00:00:00 2001 From: Mark Pilgrim Date: Thu, 17 Sep 2009 21:33:50 -0400 Subject: [PATCH] updated link --- advanced-iterators.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/advanced-iterators.html b/advanced-iterators.html index 7815f6e..9a57e72 100755 --- a/advanced-iterators.html +++ b/advanced-iterators.html @@ -528,7 +528,7 @@ for guess in itertools.permutations(digits, len(characters)):

eval() is EVIL -

Well, the evil part is evaluating arbitrary expressions from untrusted sources. You should only use eval() on trusted input. Of course, the trick is figuring out what’s “trusted.” But here’s something I know for certain: you should NOT take this alphametics solver and put it on the internet as a fun little web service. Don’t make the mistake of thinking, “Gosh, the function does a lot of string manipulation before getting a string to evaluate; I can’t imagine how someone could exploit that.” Someone WILL figure out how to sneak nasty executable code past all that string manipulation (stranger things have happened), and then you can kiss your server goodbye. +

Well, the evil part is evaluating arbitrary expressions from untrusted sources. You should only use eval() on trusted input. Of course, the trick is figuring out what’s “trusted.” But here’s something I know for certain: you should NOT take this alphametics solver and put it on the internet as a fun little web service. Don’t make the mistake of thinking, “Gosh, the function does a lot of string manipulation before getting a string to evaluate; I can’t imagine how someone could exploit that.” Someone WILL figure out how to sneak nasty executable code past all that string manipulation (stranger things have happened), and then you can kiss your server goodbye.

But surely there’s some way to evaluate expressions safely? To put eval() in a sandbox where it can’t access or harm the outside world? Well, yes and no.