Author vstinner
Recipients Jeremy.Hylton, Trundle, alex, benjamin.peterson, berker.peksag, brett.cannon, daniel.urban, dmalcolm, eltoder, eric.snow, georg.brandl, gregory.p.smith, inada.naoki, isoschiz, jcon, mark.dickinson, meador.inge, nadeem.vawda, ncoghlan, pconnell, pitrou, pstch, rhettinger, santoso.wijaya, serhiy.storchaka, techtonik, terry.reedy, vstinner
Date 2017-01-31.14:05:11
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <CAMpsgwaz67bKXkysG_Q-8xZaxNrnLC+DDj_pmUCckwV2EAJz3g@mail.gmail.com>
In-reply-to <1485869594.0.0.567361563353.issue11549@psf.upfronthosting.co.za>
Content
Hugo Geoffroy added the comment:
> I would like to point out that the changes in `ast.literal_eval` may have some security risk for code that do not expect this function to return an object with user-controlled length (for example, with `2**32*'X'`). AFAIK, this is not possible with the current version of `literal_eval`.

Since the Python compiler doesn't produce ast.Constant, there is no
change in practice in ast.literal_eval(). If you found a bug, please
open a new issue.

> At least [this library](https://pypi.python.org/pypi/serpent) would have a serious risk of remote DoS :

I tried hard to implement a sandbox in Python and I failed:
https://lwn.net/Articles/574215/

I don't think that literal_eval() is safe *by design*.
History
Date User Action Args
2017-01-31 14:05:11vstinnersetrecipients: + vstinner, brett.cannon, georg.brandl, rhettinger, terry.reedy, gregory.p.smith, mark.dickinson, ncoghlan, pitrou, techtonik, nadeem.vawda, benjamin.peterson, alex, Trundle, inada.naoki, dmalcolm, meador.inge, daniel.urban, Jeremy.Hylton, santoso.wijaya, eltoder, eric.snow, jcon, berker.peksag, serhiy.storchaka, pconnell, isoschiz, pstch
2017-01-31 14:05:11vstinnerlinkissue11549 messages
2017-01-31 14:05:11vstinnercreate