[Python-ideas] Any chance on (slowly) deprecating `eval` and `exec` as builtins?
rosuav at gmail.com
Tue Nov 7 19:32:27 EST 2017
On Wed, Nov 8, 2017 at 10:58 AM, Chris Barker - NOAA Federal
<chris.barker at noaa.gov> wrote:
> But the point is that the compiler is recursive, and processing nested
> constructs consumes the C stack. There are some guards against too deep
> recursion (2.7 has less guards and more vulnerable), but it is hard to prove
> that all vulnerabilities are fixed.
> Your method (limiting the size of the input) helps against some attacks.
> Other methods -- restricting the set of characters and the number of
> parenthesis, braces and brackets.
> Hmm — I’d never really thought about it, bust presumably ast.literal_eval
> was designed for use in the compiler— or at least uses the compiler to do
> its real work.
> So maybe what we really need is a literal-eval that is DESIGNED to be a safe
> Python literal parser.
> Like a JSON parser but supporting the richer Python literal set.
I believe there are pure-Python implementations of literal_eval
around, which would be a good basis for hacking on.
More information about the Python-ideas