Author arigo
Date 2004-06-29.10:36:31
SpamBayes Score
Marked as misclassified
Logged In: YES 

Doing the type check in exec and execfile() but not in
eval() is not something that seems particularly useful to
me.  Any program can be written as an expression in Python
if you are crazy enough to do that...  So it doesn't offer
any extra security to be more strict in exec than in eval().
 People who really want to do it would have to go through
incredible pain just to work around the type check.

For the implications, I believe it is sufficient (and
necessary) to carefully review all usages of f_locals
throughout the code, and document f_locals as no longer
necessary a dictionary for those extension writers that
would have used this fact.
Date User Action Args
2007-08-23 13:50:45adminlinkissue215126 messages
2007-08-23 13:50:45admincreate