On Sat, Sep 5, 2020 at 10:11 AM Steven D'Aprano <st...@pearwood.info> wrote:
>
> On Fri, Sep 04, 2020 at 06:10:23PM -0400, Cade Brown wrote:
>
> > I mentioned that in my post; however it doesn't satisfy the problems I have
> > (mainly being that eval(repr(x))==x)
>
> Further to my previous comment, if you *absolutely must* use eval, you
> can mitigate some (but not all) security threats and solve your
> eval(repr) issue:
>
> # evaluate string `s` a little bit less dangerously
> if '_' in s:
> raise ValueError('underscore prohibited')
> else:
> eval(s, {'inf': math.inf, '__builtins__': None})
>
But don't expect that to actually be secure. It mitigates SOME security threats.
I think Python would do very well to have a "restricted evaluation"
function. Looking at the source code for literal_eval, it doesn't seem
too hard to add a check alongside the Constant handler to say "if it's
Name, context Load, look up the name in the provided dict".
ChrisA
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/JLZLEPLVT36IF62QKDQTQRAXQTUGBWP3/
Code of Conduct: http://python.org/psf/codeofconduct/
