On Wednesday 10 June 2015 10:47, Devin Jeanpierre wrote:
> Passing around data that can be put into ast.literal_eval is
> synonymous with passing around data taht can be put into eval. It
> sounds like a trap.
In what way?
literal_eval will cleanly and safely refuse to evaluate strings like:
"len(None)"
"100**100**100"
"__import__('os').system('rm this')"
and so on, which makes it significantly safer when given untrusted data. I
suppose that one might be able to perform a DOS attack by passing it:
"1000 ... 0"
where the ... represents, say, a gigabyte of zeroes, but if an attacker has
the ability to feed you gigabytes of data, they don't need literal_eval to
DOS you.
If you can think of an actual attack against literal_eval, please tell us or
report it, so it can be fixed.
> For human readable serialized data, text format protocol buffers are
> seriously underrated. (Relatedly: underdocumented, too.)
Ironically, literal_eval is designed to process text-format protocols using
human-readable Python syntax for common data types like int, str, and dict.
--
Steve
--
https://mail.python.org/mailman/listinfo/python-list
