0

I'm trying to make a customization feature, so that users can run their own Python code. I know I could've just used another python code and call it as a module, but this is different. I'm turning it into an EXE file, and the module is already provided in the exe (so users can't make changes on the module). That is why I need to run it from a txt file. My plan is to read the contents of the txt file first (which contains the custom Python code), and run it with eval. A single-lined code would work, but it wouldn't just run on 2-line (or more) codes. Is there any way we can do to read 2 or more lines of the txt file (that contains a whitespace/comment)? Thanks.

[EDIT: I'm sorry, I mean the code would go error if the user puts a whitespace or a comment (#), any way to allow them putting a whitespace or a comment? Thanks.]

My code is provided here:

import traceback
import os
from pathlib import Path

customscript = 'customscript.txt'#P.S: the name of the txt file is this
scriptpath = Path(customscript)

def scriptreset():
    print("Couldn't find custom script, rewriting!")
    with open(customscript, 'w+') as f:
        f.write("#Write down your Python code here =]")
        print("Done! Re-use this command")

try:
    if scriptpath.is_file():
        scriptfile = open(customscript)
        lines = scriptfile.readlines()
        for line in lines:
            eval(line)
            
    else:
        scriptreset()

except Exception:
    print(traceback.format_exc())

Inside the txt file:

print("HELLO WORLD")

Inside the alternate version of the txt file that will cause an error:

def pack():
    print("Hi world!")#I love this world
    input("Do you like earth?")
    
pack()
TheStupidDev
  • 21
  • 5
  • Executing arbitrary user supplied code sounds like a dangerous idea, how can you be sure the script won't do something malicious? – Iain Shelvington May 02 '22 at 15:17
  • 1
    I agree, im pretty much a newbie – TheStupidDev May 02 '22 at 15:17
  • [why-is-using-eval-a-bad-practice](https://stackoverflow.com/questions/1832940/why-is-using-eval-a-bad-practice) – Patrick Artner May 02 '22 at 15:35
  • I will 100% consider changing the eval part. Do you think there are other ways? Thanks. – TheStupidDev May 02 '22 at 15:39
  • 1
    As you have discovered, `eval()` is only for expressions, not for statements or blocks of statements. The equivalent for statements is `exec()`. I concur with the other comments that you *really, really* should not be doing this. In Python 2 there was `rexec()` that was intended to provide a safe way to do what you want. It was deprecated in 2.6 (2008), because it turned out there was no safe way to do what you want, and removed in Python 3. – BoarGules May 02 '22 at 16:31
  • Doing this safely can require a lot of work. If you really need to do this, you should consider defining a small set of allowable inputs and create a parser that with absolute certainty produces safe code. – OTheDev May 02 '22 at 17:25
  • Please read about the [XY Problem](https://xyproblem.info/). You've essentially told us you're trying to use a hammer to drive a screw. That is, you haven't described the real problem but the problem you encountered when you tried solving the real problem using the only solution you could think of. – Kurtis Rader May 02 '22 at 20:14

0 Answers0