tshirtman
commented
12 years ago Oh, seems like a nice solution, are you sure it's impossible to escape it?
Closed CruzR closed 12 years ago
tshirtman
commented
12 years ago Oh, seems like a nice solution, are you sure it's impossible to escape it?
CruzR
commented
12 years ago Pretty sure. The docs say that only the contents of the dict passed to the eval() function can be accessed from inside the evaluated expression, and in fact expressions trying to access anything other than that raised a NameError in my tests. And since it's not possible to use statements inside an expression when using eval() it should be secure.
The only way to escape the encapsulation i could think of is passing a reference to a module into the function, but you wouldn't want to do this anyway.
tshirtman
commented
12 years ago Nice, i'll merge it then, thanks!
That should fix the small security issue I told you about on IRC this night and should also allow securely using python as scripting language in other user-generated content.