Dangerous network data parsing using eval() #30
Comments
the 'json' module is in python's standard library since 2.6 and using eval() is a huge security risk.
|
Hi, Thanks for contributing! We started to use eval because evaluating a python expression is much faster than parsing a json or xml. It's true that is less secure but we gain a lot of speed, so I think I will use your first way that it is also safer than using eval directly. Thanks!! |
|
Hi Miguel, I just did a couple of tests on a 5000-row resultset coming from solr. A friend of mine suggested I add
That last test just blew me off, so I triple-checked and So I would definitely suggest using Cheers |
|
Wow, I'm going to test it and include anyjson. Thank you so much for your contribution |
|
The updated patch works fine on my system. Cheers. |
|
Hi, From anyjson doc: "Anyjson loads whichever is the fastest JSON module" So, I will try each json library for seeing what library is the fastest in order to include this in the documentation. Then I will merge the pull request. Thanks! |
Using eval() to parse data received from the network is a huge security hole. There are 2 ways to fix this:
ast.literal_eval()function should happily parse Solr's pythonic output,jsonmodule on all python versions since mysolr seems to support python 2.6 and up.I have opted for the second solution since the code being already there, I assumed it worked properly on newer python versions.
NB: I have tested this patch on python 2.6 against solr 3.6, on Debian Squeeze.
The text was updated successfully, but these errors were encountered: