Serhiy Storchaka added the comment:
> Since the Python compiler doesn't produce ast.Constant, there is no
change in practice in ast.literal_eval(). If you found a bug, please
open a new issue.
Currently there is no a bug in ast.literal_eval() because the '**' operator is
not accepted.
>>> ast.literal_eval("2**2**32")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/serhiy/py/cpython/Lib/ast.py", line 85, in literal_eval
return _convert(node_or_string)
File "/home/serhiy/py/cpython/Lib/ast.py", line 84, in _convert
raise ValueError('malformed node or string: ' + repr(node))
ValueError: malformed node or string: <_ast.BinOp object at 0xb6f2fa4c>
But if move the optimization to AST level this can add a vulnerability to DOS
attack. The optimizer should do additional checks first than execute operators
that can return too large value or take too much CPU time. Currently this
vulnerability have place in the peephole optimizer.
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue11549>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
