Author Carl Ekerot
Recipients Carl Ekerot, loewis, serhiy.storchaka, xiang.zhang
Date 2016-11-04.15:05:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1478271947.28.0.595157506036.issue28563@psf.upfronthosting.co.za>
In-reply-to
Content
It doesn't solve the case when an identifier or number is used as a function:

   >>> import os
   >>> gettext.c2py("n()")(lambda: os.system("sh"))
   $ 
   0
   >>> gettext.c2py("1()")(0)
   Traceback (most recent call last):
     File "<stdin>", line 1, in <module>
     File "<string>", line 1, in <lambda>
   TypeError: 'int' object is not callable

This is more of an unintended behavior than a security issue.

Xiang Zhang: I've created a patch based on yours which handles the above case. I've also added a corresponding test case.

Imo it would be even better if we could avoid eval. One possible (and safe) way would be to construct a safe subset of Python using the ast module. This would however still require that the C-style syntax is translated to Python. As you mention, there are issues parsing and translating nested ternary operators, and I doubt it will be possible to cover all cases with the regex replace utilized today.
History
Date User Action Args
2016-11-04 15:05:47Carl Ekerotsetrecipients: + Carl Ekerot, loewis, serhiy.storchaka, xiang.zhang
2016-11-04 15:05:47Carl Ekerotsetmessageid: <1478271947.28.0.595157506036.issue28563@psf.upfronthosting.co.za>
2016-11-04 15:05:47Carl Ekerotlinkissue28563 messages
2016-11-04 15:05:46Carl Ekerotcreate