You can't use 'eval' in either a DTML method or a python script. You have to create an external method to use 'eval'. It's a bad idea. When I was a newie, I also figured out the same solution, but somebody said:
"What if instead of a list, some bad user pass: rm -Rf?" So, it seems an useful command, but in fact it is dangerous. My suggestion for the thread author: if you can't send a list as somebody said, then remove the first and last square braces and do a split. Off couse this will only work if your list is very simple; on the contrary, if you use lists of lists, you will have to do some kind of recursive function. Regards, Josef
Thanks for the replies everyone. I was a little worried about the possibility of some malicious code being passed to the dtml but since the parameter in question is coming from an external database, it wasn't a huge possibility. Nonetheless, it was still a possibility so I did what was suggested below and created a python script to convert the text representation of the list to a list of integers, which is what is needed. I appreciate the quick replies! Josef Meile wrote:
You can't use 'eval' in either a DTML method or a python script. You have to create an external method to use 'eval'.
It's a bad idea. When I was a newie, I also figured out the same solution, but somebody said:
"What if instead of a list, some bad user pass: rm -Rf?"
So, it seems an useful command, but in fact it is dangerous.
My suggestion for the thread author: if you can't send a list as somebody said, then remove the first and last square braces and do a split. Off couse this will only work if your list is very simple; on the contrary, if you use lists of lists, you will have to do some kind of recursive function.
Regards, Josef
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On Friday 06 February 2004 03:47 pm, Kevin Carlson wrote:
Thanks for the replies everyone. I was a little worried about the possibility of some malicious code being passed to the dtml but since the parameter in question is coming from an external database, it wasn't a huge possibility. Nonetheless, it was still a possibility so I did what was suggested below and created a python script to convert the text representation of the list to a list of integers, which is what is needed.
I hacked a version of Toby Dickensen's "MiniPickle" to create a MiniPickle.py module in my Narya product, see: http://cvs.sourceforge.net/viewcvs.py/narya-project/Narya1/Narya/Utility/Min... mini_dumps This pickles data that you pass to it and converts it to hexcode (which is just 0-9A-F and therefore safe for any string use, such as embedding in Cookies or HTML forms). The reverse operation mini_loads will then restore the data from the string. The trick is, it won't do it unless the data is a BUILT-IN PYTHON OBJECT, no functions, code objects, classes or class instances allowed -- only static data. This should eliminate the hazard of encountering a "trojan" object submitted by an untrusted client. I use this in product code, but it can be used in an external method (as the original mini-pickle implementation did). The main extension in my module is the use of hexcode for storage (uncoded Python pickle format will break HTTP cookies, as I found out the hard way). This should generally be able to do the non-perilous things you could do with 'eval', without much more effort. I've found it quite useful for storing dictionaries, for example. Note that if you REALLY need to store a class instance, you can provide a means to pack extract the data, mini-pickle and store *that*, then provide a wrapper to extend the data with the class on load. This is basically the "pluggable brain" concept, although I've found it easier to implement this myself than to try to use the Zope pluggable brain mechanism (which is designed for through-the-web development). Cheers, Terry -- Terry Hancock ( hancock at anansispaceworks.com ) Anansi Spaceworks http://www.anansispaceworks.com
participants (3)
-
Josef Meile -
Kevin Carlson -
Terry Hancock