Message286530
I would like to point out that the changes in `ast.literal_eval` may have some security risk for code that do not expect this function to return an object with user-controlled length (for example, with `2**32*'X'`). AFAIK, this is not possible with the current version of `literal_eval`.
At least [this library](https://pypi.python.org/pypi/serpent) would have a serious risk of remote DoS :
> Because it only serializes literals and recreates the objects using ast.literal_eval(), the serialized data is safe to transport to other machines (over the network for instance) and de-serialize it there.
Sorry for the noise if this is a useless/incorrect consideration. |
|
Date |
User |
Action |
Args |
2017-01-31 13:33:14 | pstch | set | recipients:
+ pstch, brett.cannon, georg.brandl, rhettinger, terry.reedy, gregory.p.smith, mark.dickinson, ncoghlan, pitrou, vstinner, techtonik, nadeem.vawda, benjamin.peterson, alex, Trundle, methane, dmalcolm, meador.inge, daniel.urban, Jeremy.Hylton, santoso.wijaya, eltoder, eric.snow, jcon, berker.peksag, serhiy.storchaka, pconnell, isoschiz |
2017-01-31 13:33:14 | pstch | set | messageid: <1485869594.0.0.567361563353.issue11549@psf.upfronthosting.co.za> |
2017-01-31 13:33:13 | pstch | link | issue11549 messages |
2017-01-31 13:33:13 | pstch | create | |
|