Python eval: is it still dangerous if I disable builtins and attribute access?

by

I’m going to mention one of the new features of Python 3.6 – f-strings.

They can evaluate expressions,

>>> eval('f"{().__class__.__base__}"', {'__builtins__': None}, {})
"<class 'object'>"

but the attribute access won’t be detected by Python’s tokenizer:

0,0-0,0:            ENCODING       'utf-8'        
1,0-1,1:            ERRORTOKEN     "'"            
1,1-1,27:           STRING         'f"{().__class__.__base__}"'
2,0-2,0:            ENDMARKER      ''

More Related Contents:

  1. How does str(list) work?
  2. Why is “1000000000000000 in range(1000000000000001)” so fast in Python 3?
  3. Why is using ‘eval’ a bad practice?
  4. Why is the order in dictionaries and sets arbitrary?
  5. Usage of __slots__?
  6. Python string interning
  7. About the changing id of an immutable string
  8. Dynamically evaluate an expression from a formula in Pandas
  9. Security of Python’s eval() on untrusted strings?
  10. Python: make eval safe [duplicate]
  11. Why can tuples contain mutable items?
  12. Why does a class’ body get executed at definition time?
  13. What exactly is contained within a obj.__closure__?
  14. What does “del” do exactly?
  15. Why is True returned when checking if an empty string is in another?
  16. Tuple or list when using ‘in’ in an ‘if’ clause?
  17. Python Compilation/Interpretation Process
  18. Python string literal concatenation
  19. When are .pyc files refreshed?
  20. Why is variable1 += variable2 much faster than variable1 = variable1 + variable2?
  21. Why is a class __dict__ a mappingproxy?
  22. Using a function defined in an exec’ed string in Python 3 [duplicate]
  23. How is unicode represented internally in Python?
  24. Why does list ask about __len__?
  25. Are list comprehensions syntactic sugar for `list(generator expression)` in Python 3?
  26. What are __signature__ and __text_signature__ used for in Python 3.4
  27. Converting python string into bytes directly without eval()
  28. Why is a function/method call in python expensive?
  29. How does the Python for loop actually work?
  30. ‘is’ operator behaves unexpectedly with floats

Leave a Comment