projects / python-bulletml.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Reject all expressions with __ in them.
[python-bulletml.git] / bulletml / expr.py
diff --git a/bulletml/expr.py b/bulletml/expr.py
index 385b31b..c7d4098 100644 (file)
--- a/bulletml/expr.py
+++ b/bulletml/expr.py
@@ -38,6 +38,12 @@ class NumberDef(object):
             expr = expr.string
         except AttributeError:
             pass
+        try:
+            if "__" in expr:
+                # nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
+                raise ExprError(expr)
+        except TypeError:
+            pass
         self.string = expr = str(expr)
         repl = lambda match: "params[%d]" % (int(match.group()[1:]) - 1)
         expr = re.sub(r"\$\d+", repl, expr.lower())
python-bulletml - BulletML for Python