Nick Coghlan <ncogh...@gmail.com> added the comment:

I'm marking this as documentation issue for now, as the operators that 
literal_eval allows are solely those where constant folding support is needed 
to correctly handle complex and negative numbers (as noted in the original 
post):

```
>>> dis.dis("+1")
  1           0 LOAD_CONST               1 (1)
              2 RETURN_VALUE
>>> dis.dis("-1")
  1           0 LOAD_CONST               1 (-1)
              2 RETURN_VALUE
>>> dis.dis("1+1")
  1           0 LOAD_CONST               1 (2)
              2 RETURN_VALUE
>>> dis.dis("1+1j")
  1           0 LOAD_CONST               2 ((1+1j))
              2 RETURN_VALUE
>>> dis.dis("2017-10-10")
  1           0 LOAD_CONST               3 (1997)
              2 RETURN_VALUE
```

So the key promise that literal_eval makes is that it will not permit arbitrary 
code execution, but the docs should make it clearer that it *does* permit 
constant folding for addition and subtraction in order to handle the full range 
of numeric literals.

If folks want to ensure that the input string *doesn't* include a binary 
operator, then that currently needs to be checked separately with ast.parse:

```
>>> type(ast.parse("2+3").body[0].value) is ast.BinOp
True
>>> type(ast.parse("2017-10-10").body[0].value) is ast.BinOp
True
```

For 3.7+, that check could potentially be encapsulated as an 
"allow_folding=True" keyword-only parameter (where the default gives the 
current behaviour, while "allow_folding=False" disables processing of UnaryOp 
and BinOp), but the docs update is the more immediate need.

----------
assignee:  -> docs@python
components: +Documentation
nosy: +docs@python
versions: +Python 3.6

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31778>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to