[New-bugs-announce] [issue15452] Eliminate the use of eval() in the logging config implementation
Nick Coghlan
report at bugs.python.org
Thu Jul 26 03:01:35 CEST 2012
New submission from Nick Coghlan <ncoghlan at gmail.com>:
The current implementation of PEP 391 relies on eval, which is substantially more permissive than the expected syntax described in the spec. This means the listen() feature provides an attack vector for injection of untrusted code.
While the documentation has been updated with a cautionary note to this effect, longer term, the use of eval() should be replaced with:
1. ast.literal_eval()
2. refactoring the str.format attribute and item lookup code into something suitable for reuse in other contexts (perhaps exposed via the ast module as "ast.lookup_eval()")
----------
components: Library (Lib)
messages: 166448
nosy: ncoghlan, vinay.sajip
priority: normal
severity: normal
stage: needs patch
status: open
title: Eliminate the use of eval() in the logging config implementation
type: security
versions: Python 3.4
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue15452>
_______________________________________
More information about the New-bugs-announce
mailing list