{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 墨雨无痕 的问题《Security of Python's eval() on untrust》','https://www.manongdao.com/q-12195.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
If I am evaluating a Python string using eval(), and have a class like:
class Foo(object):
a = 3
def bar(self, x): return x + a
What are the security risks if I do not trust the string? In particular:
- Is
eval(string, {"f": Foo()}, {})unsafe? That is, can you reach os or sys or something unsafe from a Foo instance? - Is
eval(string, {}, {})unsafe? That is, can I reach os or sys entirely from builtins like len and list? - Is there a way to make builtins not present at all in the eval context?
There are some unsafe strings like "[0] * 100000000" I don't care about, because at worst they slow/stop the program. I am primarily concerned about protecting user data external to the program.
Obviously, eval(string) without custom dictionaries is unsafe in most cases.
eval()will allow malicious data to compromise your entire system, kill your cat, eat your dog and make love to your wife.There was recently a thread about how to do this kind of thing safely on the python-dev list, and the conclusions were:
Start here to read about the challenge: http://tav.espians.com/a-challenge-to-break-python-security.html
What situation do you want to use eval() in? Are you wanting a user to be able to execute arbitrary expressions? Or are you wanting to transfer data in some way? Perhaps it's possible to lock down the input in some way.
Note that even if you pass empty dictionaries to eval(), it's still possible to segfault (C)Python with some syntax tricks. For example, try this on your interpreter:
eval("()"*8**5)You can get to
osusing builtin functions:__import__('os').For python 2.6+, the ast module may help; in particular
ast.literal_eval, although it depends on exactly what you want to eval.You cannot secure eval with a blacklist approach like this. See Eval really is dangerous for examples of input that will segfault the CPython interpreter, give access to any class you like, and so on.
You are probably better off turning the question around:
For example, if you are wanting to let the user enter an algebraic expression for evaluation, consider limiting them to one letter variable names, numbers, and a specific set of operators and functions. Don't eval() strings containing anything else.
There is a very good article on the un-safety of
eval()in Mark Pilgrim's Dive into Python tutorial.Quoted from this article: