Safe eval of insecure strings containing Python data structures?

Terry Reedy tjreedy at
Thu Oct 9 22:49:14 CEST 2008

Paul Rubin wrote:
> Lie Ryan <lie.1296 at> writes:
>> in python 2.6, ast.literal_eval may be used to replace eval() for 
>> literals. 
> What happens on literal_eval('[1]*999999999') ?

Easy to try.  Since it is not a literal or display,
  ValueError: malformed string, just as with set({1,2,3])
 >>> [1]*999999999 # or
 >>> eval('[1]*999999999') # give a quick MemoryError

More information about the Python-list mailing list