[Python-ideas] Any chance on (slowly) deprecating `eval` and `exec` as builtins?
Guido van Rossum
guido at python.org
Tue Nov 7 21:29:31 EST 2017
On Tue, Nov 7, 2017 at 6:26 PM, Steven D'Aprano <steve at pearwood.info> wrote:
> On Tue, Nov 07, 2017 at 01:53:00PM -0800, Guido van Rossum wrote:
> > On Tue, Nov 7, 2017 at 2:29 AM, אלעזר <elazarg at gmail.com> wrote:
> >
> > > The dangers of eval and exec are obvious and well known to advanced
> users,
> > > but the availability as built-in functions makes it too tempting for
> > > beginners or even medium-level programmers.
> > >
> >
> > I find it dubious to claim that these functions are dangerous to
> beginners.
>
> I don't think its so much that eval/exec are in themselves dangerous
> to beginners as that their easy availability as builtins encourages bad
> habits that can last long after the programmer is no longer a beginner.
>
> I know the Python ecosystem is not quite the wild west as PHP and
> Javascript sometimes is, but code injection attacks do exist:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9807
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9802
>
> Sometimes they're written by beginners whose code isn't being reviewed
> carefully enough, and sometimes they're written by experienced coders
> who have simply learned bad habits and haven't learned better.
>
> I don't want to scare people away from using eval/exec, but it would be
> great if we could gently encourage them to think before using them, and
> to prefer literal_eval instead.
>
Sure, I'm all for making sure the documentation is clear. But the proposal
at hand is to remove them from the builtins, and I don't see the situation
as grave as needing that.
--
--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20171107/536ff507/attachment.html>
More information about the Python-ideas
mailing list