No, it was decided long ago that we don't offer this. Maybe we can rethink it nowadays, but please note that it only gives a false sense of security. Calling eval() on a string provided by a 3rd party is never safe, even if you use the trick of {'__builtins__':{}}
. See Python: make eval safe.
Is it possible to restrict the builtins in PyPy?
-
04-04-2022 - |
Question
According to the PyPy docs, "the builtins name is always referencing the builtin module, never a dictionary as it sometimes is in CPython. Assigning to builtins has no effect." For example in CPython:
>>> eval("__import__('os').system('clear')", {'__builtins__':{}})
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <module>
NameError: name '__import__' is not defined
In PyPy it runs it without an error. Is there another way of restricting the builtins available?
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow