Message 6971 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	tim.peters
Recipients
Date	2001-11-12.18:52:22
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Logged In: YES user_id=31435 Why are people (Paul, Jeremy) concerned about eval'ing strings? cPickle and pickle both check that they're properly quoted, and this isn't sh or Perl: Python has no "dynamic" gimmicks buried in string literals. All eval'ing a string literal can do is produce a binary blob via interpeting simple escape sequences. They're like C strings this way -- maybe we'll run out of memory, but that's it. I would agree that Python should be refactored internally to supply a clean function for changing string literals into binary blobs, but that would be for clarity and efficiency, not security.

Logged In: YES 
user_id=31435

Why are people (Paul, Jeremy) concerned about eval'ing 
strings?  cPickle and pickle both check that they're 
properly quoted, and this isn't sh or Perl:  Python has 
no "dynamic" gimmicks buried in string literals.  All 
eval'ing a string literal can do is produce a binary blob 
via interpeting simple escape sequences.  They're like C 
strings this way -- maybe we'll run out of memory, but 
that's it.

I would agree that Python should be refactored internally 
to supply a clean function for changing string literals 
into binary blobs, but that would be for clarity and 
efficiency, not security.

History
Date	User	Action	Args
2007-08-23 13:56:49	admin	link	issue471893 messages
2007-08-23 13:56:49	admin	create