Author ncoghlan
Recipients ncoghlan, vinay.sajip
Date 2012-07-26.01:01:34
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1343264495.49.0.0195201203683.issue15452@psf.upfronthosting.co.za>
In-reply-to
Content
The current implementation of PEP 391 relies on eval, which is substantially more permissive than the expected syntax described in the spec. This means the listen() feature provides an attack vector for injection of untrusted code.

While the documentation has been updated with a cautionary note to this effect, longer term, the use of eval() should be replaced with:

1. ast.literal_eval()
2. refactoring the str.format attribute and item lookup code into something suitable for reuse in other contexts (perhaps exposed via the ast module as "ast.lookup_eval()")
History
Date User Action Args
2012-07-26 01:01:35ncoghlansetrecipients: + ncoghlan, vinay.sajip
2012-07-26 01:01:35ncoghlansetmessageid: <1343264495.49.0.0195201203683.issue15452@psf.upfronthosting.co.za>
2012-07-26 01:01:34ncoghlanlinkissue15452 messages
2012-07-26 01:01:34ncoghlancreate