[issue39158] ast.literal_eval() doesn't support empty sets

Pablo Galindo Salgado Fri, 03 Jan 2020 11:32:55 -0800


Pablo Galindo Salgado <pablog...@gmail.com> added the comment:


The function literal_eval is not safe anymore as the constructor can be 
intercepted:

>>> import builtins
>>> def evil_code(*args):
...     print("Something evil")
...
>>> builtins.set = evil_code
>>> ast.literal_eval("set()")
Something evil


I think we should either use {0}.__class__.

Also, the documentation now is wrong as the function does more than evaluate 
literals or container displays.

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue39158>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39158] ast.literal_eval() doesn't support empty sets

Reply via email to