From: Joe Wreschnig <joe.wreschnig@gmail.com>
Date: Sun, 10 Jun 2012 08:42:21 +0000 (+0200)
Subject: Reject all expressions with __ in them.
X-Git-Url: https://git.yukkurigames.com/?p=python-bulletml.git;a=commitdiff_plain;h=1880336bb4dedf2261d8902070ee3f143718c8e4

Reject all expressions with __ in them.
---

diff --git a/bulletml/expr.py b/bulletml/expr.py
index 385b31b..c7d4098 100644
--- a/bulletml/expr.py
+++ b/bulletml/expr.py
@@ -38,6 +38,12 @@ class NumberDef(object):
             expr = expr.string
         except AttributeError:
             pass
+        try:
+            if "__" in expr:
+                # nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
+                raise ExprError(expr)
+        except TypeError:
+            pass
         self.string = expr = str(expr)
         repl = lambda match: "params[%d]" % (int(match.group()[1:]) - 1)
         expr = re.sub(r"\$\d+", repl, expr.lower())