hello! I converted a dictionary in a string, and now I need to change back the same string as a dictionary in a zope python script. Any help? thanks, Stefano.
On Thu, Feb 07, 2008, Stefano Guglia wrote:
hello!
I converted a dictionary in a string, and now I need to change back the same string as a dictionary in a zope python script.
s = repr(d) newdict = eval(s) Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 That rifle on the wall of the labourer's cottage or working class flat is the symbol of democracy. It is our job to see that it stays there. --GEORGE ORWELL
Bill Campbell wrote:
On Thu, Feb 07, 2008, Stefano Guglia wrote:
hello!
I converted a dictionary in a string, and now I need to change back the same string as a dictionary in a zope python script.
s = repr(d) newdict = eval(s)
NO! Never ever ever eval strings. At some point you will end up eval'ing an user-supplied string and hey presto - instant massive security vulnerability. The original post is a bit crap, since no mention was made as to how the dict was turned into a string. As to what he wants to do with this and why he's doing it, that's likely the source of the real problem! cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
On Thursday 07 February 2008 11:25:07 Chris Withers wrote:
Bill Campbell wrote:
On Thu, Feb 07, 2008, Stefano Guglia wrote:
hello!
I converted a dictionary in a string, and now I need to change back the same string as a dictionary in a zope python script.
s = repr(d) newdict = eval(s)
NO!
Never ever ever eval strings. At some point you will end up eval'ing an user-supplied string and hey presto - instant massive security vulnerability.
The original post is a bit crap, since no mention was made as to how the dict was turned into a string. As to what he wants to do with this and why he's doing it, that's likely the source of the real problem!
cheers,
Chris
I 'serialized' mysql data in order to flat one-to-many related tables. the resulting dictionaries (one per record) are i.e. as: mydict [ brandcode ] = { 'itemcode': 'some value', 'itemsizeavail': [ ('XL',), ('XXL',), ('S',) ], 'keythree': '', 'keyfour': [ ], ... } now then I can index the whole content in order to get it searchable from the Plone quick search form. mydict [ ] records are then saved as strings in a DB table records. I need now to pass again from string to dict, to access key/values and print detailed reports. could you have much better ideas on how to, pls let us know. I handle python, zope etc. at a very basic level now, so surely I've missed some features I'm sorry if I wasn't clear, and thanks! Stefano.
sguglia@arrows.it wrote:
I 'serialized' mysql data in order to flat one-to-many related tables. the resulting dictionaries (one per record) are i.e. as:
mydict [ brandcode ] = { 'itemcode': 'some value', 'itemsizeavail': [ ('XL',), ('XXL',), ('S',) ], 'keythree': '', 'keyfour': [ ], ... }
now then I can index the whole content in order to get it searchable from the Plone quick search form.
This is more than a little insane...
mydict [ ] records are then saved as strings in a DB table records.
?! cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Chris Withers wrote at 2008-2-7 10:25 +0000:
Bill Campbell wrote:
On Thu, Feb 07, 2008, Stefano Guglia wrote:
hello!
I converted a dictionary in a string, and now I need to change back the same string as a dictionary in a zope python script.
s = repr(d) newdict = eval(s)
NO!
Never ever ever eval strings. At some point you will end up eval'ing an user-supplied string and hey presto - instant massive security vulnerability.
It is easy to secure "eval": globs = {'__builtins__':{}} eval(s, globs, globs) This ensures that "eval" cannot use any builtin functions -- especially, it cannot import anything. -- Dieter
Dieter Maurer wrote:
It is easy to secure "eval":
globs = {'__builtins__':{}} eval(s, globs, globs)
This ensures that "eval" cannot use any builtin functions -- especially, it cannot import anything.
I'm fairly sure this isn't enough - google for the bugs in python's rexec and bastion modules which lead to them being deprecated... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Chris Withers wrote at 2008-2-8 11:14 +0000:
Dieter Maurer wrote:
It is easy to secure "eval":
globs = {'__builtins__':{}} eval(s, globs, globs)
This ensures that "eval" cannot use any builtin functions -- especially, it cannot import anything.
I'm fairly sure this isn't enough
That you are fairly sure is not enough -- unless you show me an exploit....
- google for the bugs in python's rexec and bastion modules which lead to them being deprecated...
I speak only about "eval" (not "exec" or "rexec" nor "bastion"). In the "eval" world, you only have expressions. And with the "__builtins__" above, you have no builtin functions, no classes, no types -- you have just the literals the parser can recognize: strings, integer, float, None, lists, tuples, dicts, generators and the typical operators on them. You are able to construct huge objects and can cause denial of service. But this is possible even without "eval".... -- Dieter
Dieter Maurer wrote:
- google for the bugs in python's rexec and bastion modules which lead to them being deprecated...
I speak only about "eval" (not "exec" or "rexec" nor "bastion"). In the "eval" world, you only have expressions. And with the "__builtins__" above, you have no builtin functions, no classes, no types -- you have just the literals the parser can recognize: strings, integer, float, None, lists, tuples, dicts, generators and the typical operators on them.
I suggest you actually follow your own usual advice and do some searching, it's never that simple, as you'll see from the bugs people have encountered with rexec and bastion ;-) But, for clarity and for the lazy, here's Toby's example of how to get at some interesting classes without using aything but the exec environment you described: {}.__class__.__bases__[0].__subclasses__() I know Toby wanted to keep that off-list but I think it's important that people understand just how unsafe it is to exec anything you can't 100% trust. I have an addage that "there's always something better than exec" and I haven't been proved wrong yet... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
participants (5)
-
Bill Campbell -
Chris Withers -
Dieter Maurer -
sguglia@arrows.it -
Stefano Guglia