I have a string "[u'foo']" (Yes, it includes the square brackets and the u''). I have to convert that to a list which looks like [u'foo'].
list("[u'foo']") won't work.
Any suggestions?
views:
82answers:
2You know that passing empty dicts for `locals` and `globals` isn't enough to 'secure' `eval`, yes? This still gives an attacker basically full access to your system.
Aaron Gallagher
2010-09-01 23:39:43
POC: `eval('__import__("os").getcwd()', {}, {})`, I edited my answer
leoluk
2010-09-01 23:42:09
@leoluk, that doesn't 'prove' anything. `eval("[x for x in type(type(1)).__bases__[0].__subclasses__() if x.__name__ == 'file'][0]('/etc/passwd').readline()", {}, {})` gives me the first line of `/etc/passwd` on my system.
Aaron Gallagher
2010-09-01 23:49:19
@Aaron, cool... By the way, if I can't use literal_eval(), what would you suggest as a 'secure' eval?
Albert
2010-09-02 00:18:25
@Albert, I would suggest modifying your desires so that you don't have to.
Aaron Gallagher
2010-09-02 00:30:43
@Aaron: `eval('__import__("os").getcwd()', {}, {})` is no proof, it works fine. I just wanted to give an example that the first revision was insecure, and I fixed it.
leoluk
2010-09-02 15:29:27
+8
A:
>>> import ast
>>> s = "[u'foo']"
>>> ast.literal_eval(s)
[u'foo']
Adam Bernier
2010-09-01 22:47:40