[issue31778] ast.literal_eval supports non-literals in Python 3

Change by Serhiy Storchaka : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker

[issue31778] ast.literal_eval supports non-literals in Python 3

Serhiy Storchaka added the comment: New changeset d8ac4d1d5ac256ebf3d8d38c226049abec82a2a0 by Serhiy Storchaka in branch 'master': bpo-31778: Make ast.literal_eval() more strict. (#4035)

[issue31778] ast.literal_eval supports non-literals in Python 3

Neil Schemenauer added the comment: Just a comment on what I guess is the intended use of literal_eval(), i.e. taking a potentially untrusted string and turning it into a Python object. Exposing the whole of the Python parser to potential attackers would make me very

[issue31778] ast.literal_eval supports non-literals in Python 3

Serhiy Storchaka added the comment: Ping. -- ___ Python tracker ___ ___

[issue31778] ast.literal_eval supports non-literals in Python 3

Change by Yury Selivanov : -- nosy: -yselivanov ___ Python tracker ___ ___

[issue31778] ast.literal_eval supports non-literals in Python 3

Serhiy Storchaka added the comment: PR 4035 makes ast.literal_eval() more strict. -- versions: -Python 3.6, Python 3.8 ___ Python tracker

[issue31778] ast.literal_eval supports non-literals in Python 3

Change by Serhiy Storchaka : -- keywords: +patch pull_requests: +4009 stage: -> patch review ___ Python tracker ___

[issue31778] ast.literal_eval supports non-literals in Python 3

Serhiy Storchaka added the comment: """ The string or node provided may only consist of the following Python literal structures: strings, bytes, numbers, tuples, lists, dicts, sets, booleans, and None. """ 1+1 is not a literal number. """ It is not capable of

[issue31778] ast.literal_eval supports non-literals in Python 3

R. David Murray added the comment: "Safely evaluate an expression node or a string containing a Python expression." The behavior you are citing matches that documentation, as far as I can see. 1+1 is an expression involving supported literals. -- nosy:

[issue31778] ast.literal_eval supports non-literals in Python 3

Serhiy Storchaka added the comment: The support of parsing addition and subtraction at any level of nesting was added by bc95973b51abadc84960e7836ce313f12cf515cf. The commit message and NEWS entry don't contain an issue number, thus the rationale of this change is

[issue31778] ast.literal_eval supports non-literals in Python 3

David Bieber added the comment: # Replies > Rolling back previous enhancements would break existing code. I sympathize completely with the need to maintain backward compatibility. And if this is the reason that this issue gets treated only as a documentation issue,

[issue31778] ast.literal_eval supports non-literals in Python 3

Nick Coghlan added the comment: I'm marking this as documentation issue for now, as the operators that literal_eval allows are solely those where constant folding support is needed to correctly handle complex and negative numbers (as noted in the original post): ``` >>>

[issue31778] ast.literal_eval supports non-literals in Python 3

Terry J. Reedy added the comment: It has been some time since literal_eval literally only evaluated literals. 'constant_eval' might be a better name now, with the proviso of 'safely, in reasonable time'. >>> from ast import literal_eval as le >>> le('(1,2,3)') (1, 2, 3)

[issue31778] ast.literal_eval supports non-literals in Python 3

Change by David Bieber : -- type: -> behavior ___ Python tracker ___ ___

[issue31778] ast.literal_eval supports non-literals in Python 3

New submission from David Bieber : # Overview ast.literal_eval supports some non-literals in Python 3. The behavior of this function runs contrary to the documented behavior. # The Issue The [documentation](https://docs.python.org/3/library/ast.html#ast.literal_eval) says