Re: [Configobj-develop] check function for list of list of integers

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Patrick,

Thanks for the helpful reply.

On Sat, 31 Mar 2012, Patrick Totzke wrote:

> Hi Faheem,
>
> Not sure to what you are trying to convert these values but eval
> is not what you want I believe.

I'm trying to convert the value to a list of integer lists, as it appears 
to be in the config file. I don't think "eval" is a good way to go either, 
but can you suggest an alternative?

> Also note that using eval like this makes your app vulnerable to code 
> injection because you don't sanitize the string you hand over.

Yes, I see. Since 'eval' can execute arbitary code. I'm open to 
alternative methods to convert this string into a list of lists. Also, how 
could one sanitize the call to 'eval'?

> Quoting Faheem Mitha (2012-03-31 19:00:42)
>> value ['[[5', '6]', '[7', '13', '18]', '[9', '22]', '[10', '12]', '[15',
>> '16', '17]', '[20', '21]]']
>> type(value) <type 'list'>
> ...
>
>>     l = eval(value)
>> TypeError: eval() arg 1 must be a string or code object
>
>
> Here is your problem: You hand an object of type "list" to a function that
> doesn't arguments of that kind.

Right. Clearly eval can't operate after the value

model = [[5, 6], [7, 13, 18], [9, 22], [10, 12], [15, 16, 17], [20, 21]]

has been altered from what one would expect it to be, namely a string.

> eval's docstring sais:
>
>    eval(source[, globals[, locals]]) -> value
>
>    Evaluate the source in the context of globals and locals.
>    The source may be a string representing a Python expression
>    or a code object as returned by compile().
>    The globals must be a dictionary and locals can be any mapping,
>    defaulting to the current globals and locals.
>    If only globals is given, locals defaults to it.
>
> I think one option would be to quote your values in the config,
> so you'd explicitly get a string and not a stringlist.
> I'm not so firm with the configobj internals but it seems that
> it is interpreting this stringlist before alling your test.

Yes, I would have expected it to just pass the value as a string, but it 
seems to be altering it to a list first. Since I give it my check 
function, I would expect it to use that instead of whatever default 
internal conversion it does.

                                                          Regards, Faheem