Message 359250 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pablogsal
Recipients	BTaskaya, pablogsal, rhettinger, serhiy.storchaka
Date	2020-01-03.19:31:46
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1578079906.88.0.72127635533.issue39158@roundup.psfhosted.org>
In-reply-to

Content
The function literal_eval is not safe anymore as the constructor can be intercepted: >>> import builtins >>> def evil_code(*args): ... print("Something evil") ... >>> builtins.set = evil_code >>> import ast >>> ast.literSomething evil KeyboardInterrupt >>> ast.literal_eval("set()") Something evil I think we should either use {0}.__class__. Also, the documentation now is wrong as the function does more than evaluate literals or container displays.

The function literal_eval is not safe anymore as the constructor can be intercepted:

>>> import builtins
>>> def evil_code(*args):
...     print("Something evil")
...
>>> builtins.set = evil_code
>>> import ast
>>> ast.literSomething evil

KeyboardInterrupt
>>> ast.literal_eval("set()")
Something evil


I think we should either use {0}.__class__.

Also, the documentation now is wrong as the function does more than evaluate literals or container displays.

History
Date	User	Action	Args
2020-01-03 19:32:13	pablogsal	unlink	issue39158 messages
2020-01-03 19:31:46	pablogsal	set	recipients: + pablogsal, rhettinger, serhiy.storchaka, BTaskaya
2020-01-03 19:31:46	pablogsal	set	messageid: <1578079906.88.0.72127635533.issue39158@roundup.psfhosted.org>
2020-01-03 19:31:46	pablogsal	link	issue39158 messages
2020-01-03 19:31:46	pablogsal	create