[ python-Feature Requests-1237678 ] add a note to eval and exec to not use it when possible
SourceForge.net
noreply at sourceforge.net
Wed Jul 13 23:45:06 CEST 2005
Feature Requests item #1237678, was opened at 2005-07-13 11:45
Message generated for change (Comment added) made by rhettinger
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=355470&aid=1237678&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Documentation
Group: None
>Status: Closed
>Resolution: Rejected
Priority: 5
Submitted By: Reinhold Birkenfeld (birkenfeld)
Assigned to: Nobody/Anonymous (nobody)
Summary: add a note to eval and exec to not use it when possible
Initial Comment:
The docs for eval and exec should have pointers how to
avoid them, by e.g. using locals(), globals(), getattr,
setattr etc.
Many questions pop up on c.l.py which could be answered
by this.
----------------------------------------------------------------------
>Comment By: Raymond Hettinger (rhettinger)
Date: 2005-07-13 16:45
Message:
Logged In: YES
user_id=80475
This should not be in the docs. Both eval() and exec are
legitmate parts of the language with valid use cases.
Avoidance of eval() and exec is a comp.lang.python security
cult.
If you feel the need, write a FAQ entry and submit it to
Andrew. The entry should be neautrally worded with an
informative note on the security risks of blindly running
untrusted code and will a short listing of faster or more
secure approaches for common use cases. Also, mention the
input() includes an implicit call to eval().
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=355470&aid=1237678&group_id=5470
More information about the Python-bugs-list
mailing list