Pablo Galindo Salgado <[email protected]> added the comment:
The function literal_eval is not safe anymore as the constructor can be
intercepted:
>>> import builtins
>>> def evil_code(*args):
... print("Something evil")
...
>>> builtins.set = evil_code
>>> import ast
>>> ast.literSomething evil
KeyboardInterrupt
>>> ast.literal_eval("set()")
Something evil
I think we should either use {0}.__class__.
Also, the documentation now is wrong as the function does more than evaluate
literals or container displays.
----------
resolution: fixed ->
status: closed -> open
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue39158>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
