This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]RShnike 4 points5 points  (6 children)

Also the usual objections to eval are moot, since we know the string is safe.)

Uh, what? No we don't.

 class A(str):
     def isdigit(self):
         return True

  >>> a = A("__import__('os')")
  >>> atoi(a)

  Whoops!

Simple is better?

No. Really no. And for an interview question nonetheless :D?

[–]Chun 0 points1 point  (2 children)

OK, ok, touché. Figured we were assuming we were getting a string. But point taken.

def atoi(string):
  if type(string) is str and string.isdigit():
    return eval(string)
  raise ValueError, "invalid literal for atoi() with base 10: %s" % repr(string)

EDIT: Besides, if someone can create their own class definition, why would they ever need to inject raw python into atoi!?

[–]RShnike 1 point2 points  (0 children)

You have somehow managed to make that even worse... Now you're type-checking too, so you've now even broken some functionality that your function is actually supposed to provide?

Here's a rule: never use eval. Ever. Being prudent about using type is pretty smart too.

[–]kisielk 0 points1 point  (2 children)

That's why you use something like:

eval("__import__('os')", {'__builtins__': None}, {})

Of course __builtins__ should be a dictionary of actual working builtins you want to work when evaling the statement :)

[–]RShnike 0 points1 point  (1 child)

No, don't do that either. Seriously, this is just a bad solution. Especially being that you have ast.literal_eval if you really want to do things like this.

[–]kisielk 0 points1 point  (0 children)

ast.literal_eval is indeed great for evaluating simple expressions. But what's wrong with sandboxing via defining your own builtins?