\u5728Freebuf\u4e0a\u770b\u5230\u7684\u4e24\u7bc7\u6587\u7ae0\uff1aPython eval\u7684\u5e38\u89c1\u9519\u8bef\u5c01\u88c5\u53ca\u5229\u7528\u539f\u7406<\/a>\u3001Python\u5b89\u5168\u7f16\u7801\u4e0e\u4ee3\u7801\u5ba1\u8ba1<\/a>\uff0c\u91cc\u9762\u6d89\u53ca\u5230\u4e86\u5bf9Python\u7684eval\u51fd\u6570\u7684\u8bf4\u660e\u548c\u8bb2\u89e3\uff0c\u4e4b\u540e\u6211\u53c8\u53bb\u7f51\u4e0a\u641c\u4e86\u4e00\u4e9b\u8d44\u6599\uff0c\u6574\u7406\u6210\u4e86\u8fd9\u7bc7\u6587\u7ae0\u3002<\/p>\n python eval literal_eval<\/p>\n \u95ee\uff1aPython\u4e2d\u7684eval\u662f\u7528\u6765\u5e72\u561b\u7684\uff1f<\/p>\n \u7b54\uff1aeval() \u5c06\u7b2c\u4e00\u4e2a\u5b57\u7b26\u4e32\u53c2\u6570\u89e3\u91ca\u4e3aPython\u4ee3\u7801\u5e76\u6267\u884c\u3002<\/p>\n ==<\/p>\n The eval function lets a python program run python code within itself<\/span><\/strong>.eval example (interactive shell):<\/p>\n ==<\/p>\n eval() interprets a string as code<\/strong><\/span>. The reason why so many people have warned you about using this is because a user can use this as an option to run code on the computer. If you have eval(input()) and os imported, a person could type into input() os.system(‘rm -R *’) which would delete all your files in your home directory. (Assuming you have a unix system). Using eval() is a security hole. If you need to convert strings to other formats, try to use things that do that, like int().<\/p>\n ==<\/p>\n \u4e0eeval()\u51fd\u6570\u76f8\u6bd4\uff0cast.literal_eval()\u51fd\u6570\u4ec5\u8ba4\u4e3a\u5c11\u6570(\u5b89\u5168\u7684)Python\u8bed\u6cd5\u64cd\u4f5c\u662f\u5408\u6cd5\u7684\uff1a<\/p>\n The string or node provided may only consist of the following Python literal structures: strings, numbers, tuples, lists, dicts, booleans, and None.<\/p>\n Passing __import__(‘os’).system(‘rm -rf \/’) into ast.literal_eval() will raise an error, but eval() will happily wipe your drive.<\/p>\n Since it looks like you’re only letting the user input a plain dictionary, use\u00a0ast.literal_eval(). It safely does what you want and nothing more.<\/p>\n ==<\/p>\n You cannot secure eval with a blacklist approach like this. See\u00a0Eval really is dangerous<\/a>\u00a0for examples of input that will segfault the CPython interpreter, give access to any class you like, and so on.<\/p>\n ==<\/p>\n Note that this doesn\u2019t protect you from CPU or memory resource attacks (for example, something like:<\/p>\n will most likely cause your program to run out of memory after a while)<\/p>\n ==<\/p>\n \u4e0b\u9762\u8fd9\u6bb5\u4ee3\u7801\u5219\u662f\u9000\u51fa\u89e3\u91ca\u5668\uff1a<\/p>\n \u521d\u6b65\u7406\u89e3\u4e00\u4e0b\u6574\u4e2a\u8fc7\u7a0b\uff1a<\/p>\n \u8fd9\u53e5Python\u4ee3\u7801\u7684\u610f\u601d\u5c31\u662f\u627etuple\u7684class\uff0c\u518d\u627e\u5b83\u7684\u57fa\u7c7b\uff0c\u4e5f\u5c31\u662fobject\uff0c\u518d\u901a\u8fc7object\u627e\u4ed6\u7684\u5b50\u7c7b\uff0c\u5177\u4f53\u7684\u5b50\u7c7b\u4e5f\u5982\u4ee3\u7801\u4e2d\u7684\u8f93\u51fa\u4e00\u6837\u3002\u4ece\u4e2d\u53ef\u4ee5\u770b\u5230\u4e86\u6709file\u6a21\u5757\uff0czipimporter\u6a21\u5757\uff0c\u662f\u4e0d\u662f\u53ef\u4ee5\u5229\u7528\u4e0b\u5462\uff1f\u9996\u5148\u4ecefile\u5165\u624b\u3002<\/p>\n \u5047\u5982\u7528\u6237\u5982\u679c\u6784\u9020\uff1a<\/p>\n \u8fd9\u4e2arestrictected mode\u7b80\u5355\u7406\u89e3\u5c31\u662fPython\u89e3\u91ca\u5668\u7684\u6c99\u76d2\uff0c\u4e00\u4e9b\u529f\u80fd\u88ab\u9650\u5236\u4e86\uff0c\u6bd4\u5982\u8bf4\u4e0d\u80fd\u4fee\u6539\u7cfb\u7edf\uff0c\u4e0d\u80fd\u4f7f\u7528\u4e00\u4e9b\u7cfb\u7edf\u51fd\u6570\uff0c\u5982file\uff0c\u8be6\u60c5\u89c1Restricted Execution Mode<\/a>\uff0c\u90a3\u600e\u4e48\u53bb\u7ed5\u8fc7\u5462\uff1f\u8fd9\u65f6\u6211\u4eec\u5c31\u60f3\u5230\u4e86zipimporter\u4e86\uff0c\u5047\u5982\u5f15\u5165\u7684\u6a21\u5757\u4e2d\u5f15\u7528\u4e86os\u6a21\u5757\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u8fdb\u884c\u5229\u7528\u4e86\u3002\u4e5f\u5c31\u662f\u8bf4\u521a\u624d\u7684safe_eval\u5176\u5b9e\u662f\u4e0d\u5b89\u5168\u7684\u3002<\/p>\n =EOF=<\/p>\n","protected":false},"excerpt":{"rendered":" \u7f18\u7531\uff1a \u5728Freebuf\u4e0a\u770b\u5230\u7684\u4e24\u7bc7\u6587\u7ae0\uff1aPython eval\u7684\u5e38\u89c1\u9519\u8bef\u5c01\u88c5\u53ca\u5229\u7528\u539f\u7406\u3001Python\u5b89\u5168\u7f16\u7801 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,25],"tags":[545,8],"class_list":["post-2454","post","type-post","status-publish","format-standard","hentry","category-programing","category-security","tag-eval","tag-python"],"views":7053,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/2454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=2454"}],"version-history":[{"count":0,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/2454\/revisions"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=2454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=2454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=2454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u641c\u7d22\u5173\u952e\u5b57\uff1a<\/h6>\n
\u53c2\u8003\u94fe\u63a5\uff1a<\/h5>\n
# Python\u4e2d\u7684eval\u662f\u7528\u6765\u5e72\u561b\u7684\uff1f<\/h6>\n
\n
# eval\u662f\u975e\u5e38\u5371\u9669\u7684<\/h6>\n
\n
# \u7528 eval \/ ast.literal_eval \u6765\u64cd\u4f5cjson\u6570\u636e\uff1f<\/h6>\n
\n
# Python eval\u7684\u5e38\u89c1\u9519\u8bef\u5c01\u88c5\u53ca\u5229\u7528\u539f\u7406<\/h6>\n
\n
\u53c2\u8003\u89e3\u7b54\uff1a<\/h6>\n
>>> x = 1\n>>> eval('x + 1')\n2\n>>> eval('x')\n1<\/pre>\nIn [1]: print eval(\"__import__('os').getcwd()\", {})\nD:\\\n\nIn [2]: print eval(\"__import__('os').remove('file')\", {\"__builtins__\": {}})\n---------------------------------------------------------------------------\nNameError Traceback (most recent call last)\n<ipython-input-2-ca308c631e67> in <module>()\n----> 1 print eval(\"__import__('os').remove('file')\", {\"__builtins__\": {}})\n\n<string> in <module>()\n\nNameError: name '__import__' is not defined<\/pre>\n>>> eval(\"'*'*1000000*2*2*2*2*2*2*2*2*2\")<\/pre>\n
>>> s = \"\"\"\n... [\n... c for c in\n... ().__class__.__bases__[0].__subclasses__()\n... if c.__name__ == \"Quitter\"\n... ][0](0)()\n... \"\"\"\n>>> eval(s, {'__builtins__':{}})\n\nD:\\><\/pre>\n>>> ().__class__.__bases__[0].__subclasses__()\n...\n...<\/pre>\n
>>> s1 = \"\"\"\n... [\n... c for c in ().__class__.__bases__[0].__subclasses__()\n... if c.__name__ == \"file\"\n... ][0](\"\/etc\/passwd\").read()()\n... \"\"\"\n>>> eval(s1, {'__builtins__':{}})\nTraceback (most recent call last):\n File \"<stdin>\", line 1, in <module>\n File \"<string>\", line 5, in <module>\nIOError: file() constructor not accessible in restricted mode<\/pre>\n\u5982\u4f55\u6b63\u786e\u4f7f\u7528<\/h6>\n
\n