This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients Jeremy.Hylton, Trundle, alex, benjamin.peterson, berker.peksag, brett.cannon, daniel.urban, dmalcolm, eltoder, eric.snow, georg.brandl, gregory.p.smith, isoschiz, jcon, mark.dickinson, meador.inge, methane, nadeem.vawda, ncoghlan, pconnell, pitrou, pstch, rhettinger, santoso.wijaya, serhiy.storchaka, techtonik, terry.reedy, vstinner
Date 2017-01-31.14:35:03
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1485873303.5.0.884281588997.issue11549@psf.upfronthosting.co.za>
In-reply-to
Content
> Currently there is no a bug in ast.literal_eval() because the '**' operator is not accepted.

The doc says "This can be used for safely evaluating strings containing Python values from untrusted sources without the need to parse the values oneself. It is not capable of evaluating arbitrarily complex expressions, for example involving operators or indexing."
https://docs.python.org/dev/library/ast.html#ast.literal_eval

I don't think that it's a bug, but a deliberate design choice. a**b is an obvious trick to DoS a server (high CPU and memory usage).
History
Date User Action Args
2017-01-31 14:35:03vstinnersetrecipients: + vstinner, brett.cannon, georg.brandl, rhettinger, terry.reedy, gregory.p.smith, mark.dickinson, ncoghlan, pitrou, techtonik, nadeem.vawda, benjamin.peterson, alex, Trundle, methane, dmalcolm, meador.inge, daniel.urban, Jeremy.Hylton, santoso.wijaya, eltoder, eric.snow, jcon, berker.peksag, serhiy.storchaka, pconnell, isoschiz, pstch
2017-01-31 14:35:03vstinnersetmessageid: <1485873303.5.0.884281588997.issue11549@psf.upfronthosting.co.za>
2017-01-31 14:35:03vstinnerlinkissue11549 messages
2017-01-31 14:35:03vstinnercreate