Safe eval of insecure strings containing Python data structures?

Terry Reedy tjreedy at udel.edu
Thu Oct 9 22:49:14 CEST 2008


Paul Rubin wrote:
> Lie Ryan <lie.1296 at gmail.com> writes:
>> in python 2.6, ast.literal_eval may be used to replace eval() for 
>> literals. 
> 
> What happens on literal_eval('[1]*999999999') ?

Easy to try.  Since it is not a literal or display,
  ValueError: malformed string, just as with set({1,2,3])
 >>> [1]*999999999 # or
 >>> eval('[1]*999999999') # give a quick MemoryError




More information about the Python-list mailing list