[New-bugs-announce] [issue7935] Cross-reference ast.literal_eval() from eval() docs

Kent Johnson report at bugs.python.org
Mon Feb 15 14:38:19 CET 2010

New submission from Kent Johnson <kent at kentsjohnson.com>:

eval() is a known security hole. Since Python 2.6 ast.literal_eval() provides a better alternative in many cases. literal_eval() is not as well known as eval() and not easy to find even if you know it exists (but don't remember the name).

eval() comes up over and over in the Python-tutor list and the attendant warnings are repeated ad nauseum; literal_eval() is rarely mentioned as an alternative.

Suggestion: in the docs for eval(), put a warning about security risks and a cross-reference to literal_eval(). For example:

Warning: eval() executes any expression and should be used only with trusted input. ast.literal_eval() is a safe alternative for evaluating expressions containing only Python literals.


assignee: georg.brandl
components: Documentation
messages: 99363
nosy: georg.brandl, kjohnson
severity: normal
status: open
title: Cross-reference ast.literal_eval() from eval() docs
type: feature request
versions: Python 2.6

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list