[Python-ideas] Any chance on (slowly) deprecating `eval` and `exec` as builtins?
Chris Angelico
rosuav at gmail.com
Tue Nov 7 16:50:49 EST 2017
On Wed, Nov 8, 2017 at 8:39 AM, אלעזר <elazarg at gmail.com> wrote:
>
>
> בתאריך יום ג׳, 7 בנוב׳ 2017, 22:59, מאת Chris Angelico <rosuav at gmail.com>:
>>
>>
>> -1 on hiding eval/exec; these features exist in many languages, and
>> they're identically dangerous everywhere. Basically, use eval only
>> with text from the owner of the system, not from anyone untrusted.
>
>
> I am sorry. I don't understand the reasons you are giving here. One sentence
> is a fact, and I agree with the other, so I must be missing something.
If someone is using eval/exec with untrusted code, no amount of
hiding-behind-imports is going to change that. A quick glance at the
Stack Overflow search you linked to (just the search results
themselves - I didn't dive deeper) shows only a few that would be
affected by this change, and most of them are from people who seem to
at least broadly understand what's going on. So the benefit isn't
going to be huge, and a backward compatibility break is extremely
annoying (even obscure functions like reduce incurred some backlash
when they were "hidden" behind an import). Hence I'm -1 on changing
this. Had Python always had eval off in some module, I wouldn't push
for its promotion to builtin, but IMO the cost of moving it is greater
than any benefit of protection. The dangers of eval/exec should be
well known.
ChrisA
More information about the Python-ideas
mailing list