On 2017-11-07 08:29 AM, אלעזר wrote:

The dangers of eval and exec are obvious and well known to advanced users, but the availability as built-in functions makes it too tempting for beginners or even medium-level programmers. You can see questions about these function pretty often in stackoverflow (roughly once a day, though sometimes the uses are legitimate).

Maybe we could start a ten-year process of deprecating the use of `builtins.eval` (in the docs, and then with warnings)? `builtins.eval` will be a wrapper to the real evaluation function, moved to `unsafe.eval` or something obvious like that, so all you need to do to port your code is to add `from unsafe import unsafe_eval as eval, unsafe_exec as exec` at the top of the file; it will be a nice warning to the reader.

The fact that it is a wrapper will slightly slow it down and make the stack traces noisier - both are good things, IMO.

Also, it is unfortunate that `ast.literal_eval` is less accessible than `builtins.eval`. Giving it an alias in builtins might make it easier for programmers (and less scary - "ast" might sound like I need a PhD to use it).

What do you think?

Please don't!

exec("def one(x):\n [r] = x\n return r")  # who says python doesn't have one-liners?

(ofc, some would argue you should use:

one = (lambda x: (lambda y: y)(*x))

but I digress)


Python-ideas mailing list
Code of Conduct: http://python.org/psf/codeofconduct/