On Sat, Sep 5, 2020 at 10:11 AM Steven D'Aprano steve@pearwood.info wrote:
On Fri, Sep 04, 2020 at 06:10:23PM -0400, Cade Brown wrote:
I mentioned that in my post; however it doesn't satisfy the problems I have (mainly being that eval(repr(x))==x)
Further to my previous comment, if you *absolutely must* use eval, you can mitigate some (but not all) security threats and solve your eval(repr) issue:
# evaluate string `s` a little bit less dangerously if '_' in s: raise ValueError('underscore prohibited') else: eval(s, {'inf': math.inf, '__builtins__': None})
But don't expect that to actually be secure. It mitigates SOME security threats.
I think Python would do very well to have a "restricted evaluation" function. Looking at the source code for literal_eval, it doesn't seem too hard to add a check alongside the Constant handler to say "if it's Name, context Load, look up the name in the provided dict".
ChrisA