Dieter Maurer wrote:
- google for the bugs in python's rexec and bastion modules which lead to them being deprecated...
I speak only about "eval" (not "exec" or "rexec" nor "bastion"). In the "eval" world, you only have expressions. And with the "__builtins__" above, you have no builtin functions, no classes, no types -- you have just the literals the parser can recognize: strings, integer, float, None, lists, tuples, dicts, generators and the typical operators on them.
I suggest you actually follow your own usual advice and do some searching, it's never that simple, as you'll see from the bugs people have encountered with rexec and bastion ;-) But, for clarity and for the lazy, here's Toby's example of how to get at some interesting classes without using aything but the exec environment you described: {}.__class__.__bases__[0].__subclasses__() I know Toby wanted to keep that off-list but I think it's important that people understand just how unsafe it is to exec anything you can't 100% trust. I have an addage that "there's always something better than exec" and I haven't been proved wrong yet... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk