Message 234446 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Claudiu.Popa
Recipients	Claudiu.Popa, Guido.van.Rossum, lemburg, r.david.murray, stephen.farris
Date	2015-01-21.22:07:01
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1421878021.4.0.65917302318.issue22885@psf.upfronthosting.co.za>
In-reply-to

Content
Here's a patch which uses ast.literal_eval instead. This doesn't get code executed, since literal_eval will fail loudly for anything other than a literal. There are some issues to consider: - let the current ast.literal_eval call bubble out with a lot of different exceptions - normalize the exception to dbm.dumb.error. I'm leaning towards the first, since it clearly shows that something bad happened in the module and it's a first indicator that someone tampered with the data file.

Here's a patch which uses ast.literal_eval instead. This doesn't get code executed, since literal_eval will fail loudly for anything other than a literal. There are some issues to consider:

- let the current ast.literal_eval call bubble out with a lot of different exceptions
- normalize the exception to dbm.dumb.error.

I'm leaning towards the first, since it clearly shows that something bad happened in the module and it's a first indicator that someone tampered with the data file.

History
Date	User	Action	Args
2015-01-21 22:07:01	Claudiu.Popa	set	recipients: + Claudiu.Popa, lemburg, r.david.murray, Guido.van.Rossum, stephen.farris
2015-01-21 22:07:01	Claudiu.Popa	set	messageid: <1421878021.4.0.65917302318.issue22885@psf.upfronthosting.co.za>
2015-01-21 22:07:01	Claudiu.Popa	link	issue22885 messages
2015-01-21 22:07:01	Claudiu.Popa	create