Message286534
> Since the Python compiler doesn't produce ast.Constant, there is no
change in practice in ast.literal_eval(). If you found a bug, please
open a new issue.
Currently there is no a bug in ast.literal_eval() because the '**' operator is not accepted.
>>> ast.literal_eval("2**2**32")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/serhiy/py/cpython/Lib/ast.py", line 85, in literal_eval
return _convert(node_or_string)
File "/home/serhiy/py/cpython/Lib/ast.py", line 84, in _convert
raise ValueError('malformed node or string: ' + repr(node))
ValueError: malformed node or string: <_ast.BinOp object at 0xb6f2fa4c>
But if move the optimization to AST level this can add a vulnerability to DOS attack. The optimizer should do additional checks first than execute operators that can return too large value or take too much CPU time. Currently this vulnerability have place in the peephole optimizer. |
|
Date |
User |
Action |
Args |
2017-01-31 14:32:55 | serhiy.storchaka | set | recipients:
+ serhiy.storchaka, brett.cannon, georg.brandl, rhettinger, terry.reedy, gregory.p.smith, mark.dickinson, ncoghlan, pitrou, vstinner, techtonik, nadeem.vawda, benjamin.peterson, alex, Trundle, methane, dmalcolm, meador.inge, daniel.urban, Jeremy.Hylton, santoso.wijaya, eltoder, eric.snow, jcon, berker.peksag, pconnell, isoschiz, pstch |
2017-01-31 14:32:55 | serhiy.storchaka | set | messageid: <1485873175.69.0.317361553411.issue11549@psf.upfronthosting.co.za> |
2017-01-31 14:32:55 | serhiy.storchaka | link | issue11549 messages |
2017-01-31 14:32:55 | serhiy.storchaka | create | |
|