[issue42472] security hole in eval()
Christian Heimes
report at bugs.python.org
Thu Nov 26 06:44:49 EST 2020
Christian Heimes <lists at cheimes.de> added the comment:
Would you care to explain why this should not work and how this behavior is in violation of the language specification?
It is perfectly valid expression. From a security perspective it may be an undesired feature. However Python does neither claim nor promise that eval is secure, see articel https://lwn.net/Articles/574215/ for more information on a failed attempt to sandbox Python. There is also ast.literal_eval() function, which provides limit evaluation of simple expressions.
----------
nosy: +christian.heimes
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42472>
_______________________________________
More information about the Python-bugs-list
mailing list