[Python-ideas] Any chance on (slowly) deprecating `eval` and `exec` as builtins?
Serhiy Storchaka
storchaka at gmail.com
Tue Nov 7 17:27:32 EST 2017
07.11.17 16:41, Steven D'Aprano пише:
> On Tue, Nov 07, 2017 at 03:35:58PM +0200, Serhiy Storchaka wrote:
>> 07.11.17 12:29, אלעזר пише:
>>> Also, it is unfortunate that `ast.literal_eval` is less accessible than
>>> `builtins.eval`. Giving it an alias in builtins might make it easier for
>>> programmers (and less scary - "ast" might sound like I need a PhD to use
>>> it).
>>
>> ast.literal_eval is not so safe as you think. Malicious input can cause
>> a stack overflow in your program. [1]
>>
>> [1] https://bugs.python.org/issue31113
>
>
> I don't see anything about literal_eval in that bug report.
Sorry, this particular issue isn't related to literal_eval. There was
other recently fixed issue, but I forgot its number.
But the point is that the compiler is recursive, and processing nested
constructs consumes the C stack. There are some guards against too deep
recursion (2.7 has less guards and more vulnerable), but it is hard to
prove that all vulnerabilities are fixed.
Your method (limiting the size of the input) helps against some attacks.
Other methods -- restricting the set of characters and the number of
parenthesis, braces and brackets.
More information about the Python-ideas
mailing list