Message166448
The current implementation of PEP 391 relies on eval, which is substantially more permissive than the expected syntax described in the spec. This means the listen() feature provides an attack vector for injection of untrusted code.
While the documentation has been updated with a cautionary note to this effect, longer term, the use of eval() should be replaced with:
1. ast.literal_eval()
2. refactoring the str.format attribute and item lookup code into something suitable for reuse in other contexts (perhaps exposed via the ast module as "ast.lookup_eval()") |
|
Date |
User |
Action |
Args |
2012-07-26 01:01:35 | ncoghlan | set | recipients:
+ ncoghlan, vinay.sajip |
2012-07-26 01:01:35 | ncoghlan | set | messageid: <1343264495.49.0.0195201203683.issue15452@psf.upfronthosting.co.za> |
2012-07-26 01:01:34 | ncoghlan | link | issue15452 messages |
2012-07-26 01:01:34 | ncoghlan | create | |
|