Message286531
| Author |
vstinner |
| Recipients |
Jeremy.Hylton, Trundle, alex, benjamin.peterson, berker.peksag, brett.cannon, daniel.urban, dmalcolm, eltoder, eric.snow, georg.brandl, gregory.p.smith, isoschiz, jcon, mark.dickinson, meador.inge, methane, nadeem.vawda, ncoghlan, pconnell, pitrou, pstch, rhettinger, santoso.wijaya, serhiy.storchaka, techtonik, terry.reedy, vstinner |
| Date |
2017年01月31日.14:05:11 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<CAMpsgwaz67bKXkysG_Q-8xZaxNrnLC+DDj_pmUCckwV2EAJz3g@mail.gmail.com> |
| In-reply-to |
<1485869594.0.0.567361563353.issue11549@psf.upfronthosting.co.za> |
| Content |
Hugo Geoffroy added the comment:
> I would like to point out that the changes in `ast.literal_eval` may have some security risk for code that do not expect this function to return an object with user-controlled length (for example, with `2**32*'X'`). AFAIK, this is not possible with the current version of `literal_eval`.
Since the Python compiler doesn't produce ast.Constant, there is no
change in practice in ast.literal_eval(). If you found a bug, please
open a new issue.
> At least [this library](https://pypi.python.org/pypi/serpent) would have a serious risk of remote DoS :
I tried hard to implement a sandbox in Python and I failed:
https://lwn.net/Articles/574215/
I don't think that literal_eval() is safe *by design*. |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2017年01月31日 14:05:11 | vstinner | set | recipients:
+ vstinner, brett.cannon, georg.brandl, rhettinger, terry.reedy, gregory.p.smith, mark.dickinson, ncoghlan, pitrou, techtonik, nadeem.vawda, benjamin.peterson, alex, Trundle, methane, dmalcolm, meador.inge, daniel.urban, Jeremy.Hylton, santoso.wijaya, eltoder, eric.snow, jcon, berker.peksag, serhiy.storchaka, pconnell, isoschiz, pstch |
| 2017年01月31日 14:05:11 | vstinner | link | issue11549 messages |
| 2017年01月31日 14:05:11 | vstinner | create |
|