This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pablogsal
Recipients BTaskaya, pablogsal, rhettinger, serhiy.storchaka
Date 2020-01-03.19:32:37
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1578079957.37.0.889521096198.issue39158@roundup.psfhosted.org>
In-reply-to
Content
The function literal_eval is not safe anymore as the constructor can be intercepted:

>>> import builtins
>>> def evil_code(*args):
...     print("Something evil")
...
>>> builtins.set = evil_code
>>> ast.literal_eval("set()")
Something evil


I think we should either use {0}.__class__.

Also, the documentation now is wrong as the function does more than evaluate literals or container displays.
History
Date User Action Args
2020-01-03 19:32:37pablogsalsetrecipients: + pablogsal, rhettinger, serhiy.storchaka, BTaskaya
2020-01-03 19:32:37pablogsalsetmessageid: <1578079957.37.0.889521096198.issue39158@roundup.psfhosted.org>
2020-01-03 19:32:37pablogsallinkissue39158 messages
2020-01-03 19:32:37pablogsalcreate