This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author serhiy.storchaka
Recipients benjamin.peterson, brett.cannon, docs@python, ncoghlan, serhiy.storchaka, terry.reedy, yselivanov
Date 2018-03-03.11:55:24
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1520078124.4.0.467229070634.issue32758@psf.upfronthosting.co.za>
In-reply-to
Content 
Thank you Brett! The comment LGTM.

Is it worth to add warnings to other functions?

* compile(), exec() and eval(). They are crashed due to recursion in the AST optimizer. This is a regression of 3.7. compile(..., PyCF_ONLY_AST) is the same as ast.parse() and crashed in older versions.

* dbm.dumb.open(). It calls ast.literal_eval(). The dbm.dumb databases are considered slow but portable. Before issue22885 this function was even more vulnerable due to using eval(). Since changing it to ast.literal_eval() some developers could consider it safe, but this is not true.

* A number of functions in the inspect module which directly or indirectly call ast.parse() on the __text_signature__ attribute. The risk of this vulnerability is very low.
History
Date User Action Args
2018-03-03 11:55:24serhiy.storchakasetrecipients: + serhiy.storchaka, brett.cannon, terry.reedy, ncoghlan, benjamin.peterson, docs@python, yselivanov
2018-03-03 11:55:24serhiy.storchakasetmessageid: <1520078124.4.0.467229070634.issue32758@psf.upfronthosting.co.za>
2018-03-03 11:55:24serhiy.storchakalinkissue32758 messages
2018-03-03 11:55:24serhiy.storchakacreate