While it's true that eval
can be a security hole, it's possible to restrict what is available to it by modifying the globals:
>>> f = eval('lambda x: float(x)', {'__builtins__': None})
>>> f('1.1')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <lambda>
NameError: global name 'float' is not defined
Instead, pass in a dictionary containing only the functions you want exposed to those defining the functions:
safe_builtins = dict(
__builtins__ = None,
float = float,
sum = sum,
custom_func = ...
)
loaded_func = eval("lambda x: ...", safe_builtins)