This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author larry
Recipients larry, ncoghlan, pdmccormick, serhiy.storchaka, yselivanov, zach.ware
Date 2015-04-15.18:52:36
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1429123957.6.0.780975142449.issue23967@psf.upfronthosting.co.za>
In-reply-to
Content
Peter's working on converting socket to use Argument Clinic.  He had a default that really should look like this:

    min(SOME_SOCKET_MODULE_CONSTANT, 128)

"min" wasn't something we'd needed before.  I thought about it and realized we could do a much better job of simulating the evaluation context of a shared module.

Initially I thought, all I needed was to bolster the environment we used for eval() to add the builtins.  (Which I've done.)  But this wasn't sufficient because we deliberately used ast.literal_eval(), which doesn't support function calls by design for superior security.  Or subscripting, or attribute access.  We already worked around those I think.

But how concerned are we about security?  What is the attack vector here?  If the user is able to construct an object that has a villainous __text_signature__ on it... surely they could already do as they like?

So here's a first draft at modifying the __text_signature__ evaluation environment so it can handle much more sophisticated expressions.  It can use anything from builtins, or anything in sys.modules, or anything in the current module; it can call functions, and subscript, and access attributes, and everything.

To make this work I had to write an ast printer that produces evaluatable Python code.  Note that it's not complete, I know it's not complete, it's missing loads of operators.  Assume that if this is a good idea I will add all the missing operators.

Nick was worried that *in the future* we might expose a "turn this string into a signature" function.  That might make an easier attack vector.  So he asked that the "trusted=" keyword flag be added, and the full-on eval only happen if the string is trusted.
History
Date User Action Args
2015-04-15 18:52:37larrysetrecipients: + larry, ncoghlan, zach.ware, serhiy.storchaka, yselivanov, pdmccormick
2015-04-15 18:52:37larrysetmessageid: <1429123957.6.0.780975142449.issue23967@psf.upfronthosting.co.za>
2015-04-15 18:52:37larrylinkissue23967 messages
2015-04-15 18:52:37larrycreate