On 6 Oct 2020, at 16:22, Florian Bruhin wrote:
https://github.com/python/cpython/commit/a8bf44d04915f7366d9f8dfbf84822ac37a4bab3
commit: a8bf44d04915f7366d9f8dfbf84822ac37a4bab3
branch: master
author: Florian Bruhin <m...@the-compiler.org>
committer: GitHub <nore...@github.com>
date: 2020-10-06T16:21:56+02:00
summary:
bpo-41944: No longer call eval() on content received via HTTP in the
UnicodeNames tests (GH-22575)
Similarly to GH-22566, those tests called eval() on content received
via
HTTP in test_named_sequences_full. This likely isn't exploitable
because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.
Still, it's probably better to be safe than sorry.
files:
M Lib/test/test_ucn.py
[...]
# Helper that put all \N escapes inside eval'd raw strings,
# to make sure this script runs even if the compiler
# chokes on \N escapes
- res = eval(r'"\N{%s}"' % name)
+ res = ast.literal_eval(r'"\N{%s}"' % name)
self.assertEqual(res, code)
return res
It would be even simpler to use unicodedata.lookup() which returns the
unicode character when passed the name of the character, e.g.
unicodedata.lookup("NO-BREAK SPACE")
'\xa0'
Servus,
Walter
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at
https://mail.python.org/archives/list/python-dev@python.org/message/3S7BHOFRG3KYYXQUBGZBFTDIDN2IHG3M/
Code of Conduct: http://python.org/psf/codeofconduct/
