New submission from Nick Coghlan <ncogh...@gmail.com>: The current implementation of PEP 391 relies on eval, which is substantially more permissive than the expected syntax described in the spec. This means the listen() feature provides an attack vector for injection of untrusted code.
While the documentation has been updated with a cautionary note to this effect, longer term, the use of eval() should be replaced with: 1. ast.literal_eval() 2. refactoring the str.format attribute and item lookup code into something suitable for reuse in other contexts (perhaps exposed via the ast module as "ast.lookup_eval()") ---------- components: Library (Lib) messages: 166448 nosy: ncoghlan, vinay.sajip priority: normal severity: normal stage: needs patch status: open title: Eliminate the use of eval() in the logging config implementation type: security versions: Python 3.4 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue15452> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
