Message 304367 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	terry.reedy
Recipients	David Bieber, benjamin.peterson, brett.cannon, ncoghlan, terry.reedy, yselivanov
Date	2017-10-13.22:03:43
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1507932224.7.0.213398074469.issue31778@psf.upfronthosting.co.za>
In-reply-to

Content
It has been some time since literal_eval literally only evaluated literals. 'constant_eval' might be a better name now, with the proviso of 'safely, in reasonable time'. >>> from ast import literal_eval as le >>> le('(1,2,3)') (1, 2, 3) >>> le('(1,2, (3,4))') (1, 2, (3, 4)) I believe there was once a time when a simple tuple would be evaluated, while a nested one would not be. "It is not capable of evaluating arbitrarily complex expressions, for example involving operators or indexing." I do not read this as prohibiting all operators, but rather that now all will be accepted. >>> le(2**2) ... ValueError: malformed node or string: 4 Exponentiation of ints can take exponential time and can be used for denial of service attacks. >>> le('2017-10-10') 1997 This is correct. For '2017-10-10' to be a string representing a date, it must be quoted as a string in the code. >>> le("'2017-10-10'") '2017-10-10' Rolling back previous enhancements would break existing code, so a deprecation period would be required. But I would be inclined to instead update the doc to match the updated code better. Lets see what others think.

It has been some time since literal_eval literally only evaluated literals.  'constant_eval' might be a better name now, with the proviso of 'safely, in reasonable time'.

>>> from ast import literal_eval as le
>>> le('(1,2,3)')
(1, 2, 3)
>>> le('(1,2, (3,4))')
(1, 2, (3, 4))

I believe there was once a time when a simple tuple would be evaluated, while a nested one would not be.

"It is not capable of evaluating arbitrarily complex expressions, for example involving operators or indexing."  I do not read this as prohibiting all operators, but rather that now all will be accepted.

>>> le(2**2)
...
ValueError: malformed node or string: 4

Exponentiation of ints can take exponential time and can be used for denial of service attacks.

>>> le('2017-10-10')
1997

This is correct.  For '2017-10-10' to be a string representing a date, it must be quoted as a string in the code.

>>> le("'2017-10-10'")
'2017-10-10'

Rolling back previous enhancements would break existing code, so a deprecation period would be required.  But I would be inclined to instead update the doc to match the updated code better.  Lets see what others think.

History
Date	User	Action	Args
2017-10-13 22:03:44	terry.reedy	set	recipients: + terry.reedy, brett.cannon, ncoghlan, benjamin.peterson, yselivanov, David Bieber
2017-10-13 22:03:44	terry.reedy	set	messageid: <1507932224.7.0.213398074469.issue31778@psf.upfronthosting.co.za>
2017-10-13 22:03:44	terry.reedy	link	issue31778 messages
2017-10-13 22:03:43	terry.reedy	create