Python eval: is it still dangerous if I disable builtins and attribute access?

后端未结

关注

 6  952

甜味超标 2020-12-02 12:38

We all know that eval is dangerous, even if you hide dangerous functions, because you can use Python\'s introspection features to dig down into things and re-extract them. F

6条回答

渐次进展 (楼主)

2020-12-02 13:04

I'm going to mention one of the new features of Python 3.6 - f-strings.

They can evaluate expressions,

>>> eval('f"{().__class__.__base__}"', {'__builtins__': None}, {})
""

but the attribute access won't be detected by Python's tokenizer:

0,0-0,0:            ENCODING       'utf-8'        
1,0-1,1:            ERRORTOKEN     "'"            
1,1-1,27:           STRING         'f"{().__class__.__base__}"'
2,0-2,0:            ENDMARKER      ''

0 讨论(0)

查看其它6个回答