Message313185
Thank you Brett! The comment LGTM.
Is it worth to add warnings to other functions?
* compile(), exec() and eval(). They are crashed due to recursion in the AST optimizer. This is a regression of 3.7. compile(..., PyCF_ONLY_AST) is the same as ast.parse() and crashed in older versions.
* dbm.dumb.open(). It calls ast.literal_eval(). The dbm.dumb databases are considered slow but portable. Before issue22885 this function was even more vulnerable due to using eval(). Since changing it to ast.literal_eval() some developers could consider it safe, but this is not true.
* A number of functions in the inspect module which directly or indirectly call ast.parse() on the __text_signature__ attribute. The risk of this vulnerability is very low. |
|
Date |
User |
Action |
Args |
2018-03-03 11:55:24 | serhiy.storchaka | set | recipients:
+ serhiy.storchaka, brett.cannon, terry.reedy, ncoghlan, benjamin.peterson, docs@python, yselivanov |
2018-03-03 11:55:24 | serhiy.storchaka | set | messageid: <1520078124.4.0.467229070634.issue32758@psf.upfronthosting.co.za> |
2018-03-03 11:55:24 | serhiy.storchaka | link | issue32758 messages |
2018-03-03 11:55:24 | serhiy.storchaka | create | |
|