[Python-ideas] Any chance on (slowly) deprecating `eval` and `exec` as builtins?

Chris Barker - NOAA Federal chris.barker at noaa.gov
Tue Nov 7 18:58:44 EST 2017


But the point is that the compiler is recursive, and processing nested
constructs consumes the C stack. There are some guards against too deep
recursion (2.7 has less guards and more vulnerable), but it is hard to
prove that all vulnerabilities are fixed.

Your method (limiting the size of the input) helps against some attacks.
Other methods -- restricting the set of characters and the number of
parenthesis, braces and brackets.


Hmm — I’d never really thought about it, bust presumably ast.literal_eval
was designed for use in the compiler— or at least uses the compiler to do
its real work.

So maybe what we really need is a literal-eval that is DESIGNED to be a
safe Python literal parser.

Like a JSON parser but supporting the richer Python literal set.

-CHB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20171107/20d24286/attachment-0001.html>


More information about the Python-ideas mailing list