0Executing code provided by untrusted user using exec eval or ast.literal eval
suggest changeIt is not possible to use eval
or exec
to execute code from untrusted user securely. Even ast.literal_eval
is prone to crashes in the parser. It is sometimes possible to guard against malicious code execution, but it doesn’t exclude the possibility of outright crashes in the parser or the tokenizer.
To evaluate code by an untrusted user you need to turn to some third-party module, or perhaps write your own parser and your own virtual machine in Python.
Found a mistake? Have a question or improvement idea?
Let me know.
Table Of Contents