7 Feb
2008
7 Feb
'08
7:06 p.m.
Chris Withers wrote at 2008-2-7 10:25 +0000:
Bill Campbell wrote:
On Thu, Feb 07, 2008, Stefano Guglia wrote:
hello!
I converted a dictionary in a string, and now I need to change back the same string as a dictionary in a zope python script.
s = repr(d) newdict = eval(s)
NO!
Never ever ever eval strings. At some point you will end up eval'ing an user-supplied string and hey presto - instant massive security vulnerability.
It is easy to secure "eval": globs = {'__builtins__':{}} eval(s, globs, globs) This ensures that "eval" cannot use any builtin functions -- especially, it cannot import anything. -- Dieter