First security bug related to f-strings
Irmen de Jong
irmen.NOSPAM at xs4all.nl
Sat Nov 5 14:50:34 EDT 2016
On 5-11-2016 19:08, eryk sun wrote:
> On Sat, Nov 5, 2016 at 5:33 PM, Irmen de Jong <irmen.NOSPAM at xs4all.nl> wrote:
>> I think perhaps we should have a command line option / environment variable to be able
>> to disable 'eval' altogether....
>
> I don't think that's practical. exec and eval are commonly used by
> shells and IDEs such as IDLE and IPython. In the standard library,
> importlib and namedtuple are two important users of exec. Just try
> `import builtins; del builtins.exec, builtins.eval`.
>
Perhaps. But in those cases you could just leave things on the default.
If you choose to run the interpreter with eval (and exec) disabled, you should be aware
that you'll break tools like that. But for other situations (web server etc) it could
still be useful? I do agree that not being able to use namedtuple (and perhaps other
things from the stdlib) is a problem then.
It was just a thought
Irmen
More information about the Python-list
mailing list