[Nexus] proposed additions to NXdata for non-linear scaling - to aid cbf interoperability
"V. Armando Solé"
sole at esrf.fr
Tue Mar 18 13:00:17 GMT 2014
On 18/03/2014 13:43, Wintersberger, Eugen wrote:
> Hi folks
>
>
>> I'm rather sceptic to use Python eval syntax here. Depending on
>> details of the implementation it will give the creator of the NeXus
>> file the ability to execute arbitrary code in the reader's machine
>> using the reader's privileges.
> That's a good point.
Again, I think we are mixing implementation and definition.
To say "it has to be a valid Python expression" does not imply a Python
interpreter *has* to be used.
Simply it is extremely easy to test if the expression is valid or not
without having to compile anything.
>> It will be much easier to keep the impact on security issues under
>> control if one uses a syntax that is by design strictly limited to
>> mathematical expressions, such as muParser.
> Most probably the best argument in favor of muParser I have heard so
> far.
>
If I would do it at the Python side, I would forbid any import
statements in the formula expression but that is something *I* would
care about.
Anyways, it is not my business.
Armando
More information about the NeXus
mailing list