Message 381898 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	cryptophoto
Recipients	christian.heimes, cryptophoto, vstinner
Date	2020-11-26.12:55:05
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1606395305.44.0.50601018048.issue42472@roundup.psfhosted.org>
In-reply-to

Content
The specification specifically allows for the restriction of access to globals via the second argument to eval. While Christian and Victor make interesting, albeit suicidal, comments and references to other efforts, the fact remains that this is a violation of the standard, and is an exploitable security issue. It's worth noting that the 1980's are long over now - people take security seriously these days, even when it's inconvenient. The fix seems ridiculously trivial for what it's worth; introduce a flag that honors the intent of the second argument.

The specification specifically allows for the restriction of access to globals via the second argument to eval.

While Christian and Victor make interesting, albeit suicidal, comments and references to other efforts, the fact remains that this is a violation of the standard, and is an exploitable security issue.

It's worth noting that the 1980's are long over now - people take security seriously these days, even when it's inconvenient.

The fix seems ridiculously trivial for what it's worth; introduce a flag that honors the intent of the second argument.

History
Date	User	Action	Args
2020-11-26 12:55:05	cryptophoto	set	recipients: + cryptophoto, vstinner, christian.heimes
2020-11-26 12:55:05	cryptophoto	set	messageid: <1606395305.44.0.50601018048.issue42472@roundup.psfhosted.org>
2020-11-26 12:55:05	cryptophoto	link	issue42472 messages
2020-11-26 12:55:05	cryptophoto	create