Message359251
The function literal_eval is not safe anymore as the constructor can be intercepted:
>>> import builtins
>>> def evil_code(*args):
... print("Something evil")
...
>>> builtins.set = evil_code
>>> ast.literal_eval("set()")
Something evil
I think we should either use {0}.__class__.
Also, the documentation now is wrong as the function does more than evaluate literals or container displays. |
|
Date |
User |
Action |
Args |
2020-01-03 19:32:37 | pablogsal | set | recipients:
+ pablogsal, rhettinger, serhiy.storchaka, BTaskaya |
2020-01-03 19:32:37 | pablogsal | set | messageid: <1578079957.37.0.889521096198.issue39158@roundup.psfhosted.org> |
2020-01-03 19:32:37 | pablogsal | link | issue39158 messages |
2020-01-03 19:32:37 | pablogsal | create | |
|