Message 6971 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Recipients
Author	tim.peters
Date	2001年11月12日.18:52:22
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Logged In: YES user_id=31435 Why are people (Paul, Jeremy) concerned about eval'ing strings? cPickle and pickle both check that they're properly quoted, and this isn't sh or Perl: Python has no "dynamic" gimmicks buried in string literals. All eval'ing a string literal can do is produce a binary blob via interpeting simple escape sequences. They're like C strings this way -- maybe we'll run out of memory, but that's it. I would agree that Python should be refactored internally to supply a clean function for changing string literals into binary blobs, but that would be for clarity and efficiency, not security.

Content

Logged In: YES 
user_id=31435
Why are people (Paul, Jeremy) concerned about eval'ing 
strings? cPickle and pickle both check that they're 
properly quoted, and this isn't sh or Perl: Python has 
no "dynamic" gimmicks buried in string literals. All 
eval'ing a string literal can do is produce a binary blob 
via interpeting simple escape sequences. They're like C 
strings this way -- maybe we'll run out of memory, but 
that's it.
I would agree that Python should be refactored internally 
to supply a clean function for changing string literals 
into binary blobs, but that would be for clarity and 
efficiency, not security.

History
Date	User	Action	Args
2007年08月23日 13:56:49	admin	link	issue471893 messages
2007年08月23日 13:56:49	admin	create

homepage