[issue39158] ast.literal_eval() doesn't support empty sets

2020-12-20 Thread Raymond Hettinger
Change by Raymond Hettinger : -- resolution: -> fixed stage: needs patch -> resolved status: open -> closed ___ Python tracker ___

[issue39158] ast.literal_eval() doesn't support empty sets

2020-01-06 Thread Pablo Galindo Salgado
Pablo Galindo Salgado added the comment: > "Safe" means safe from user input to literal_eval(). Yup, apologies. I had something in mind and I realized after writing my initial comment. That is why I said afterwards: > and the security concern is non-existent. -- ___

[issue39158] ast.literal_eval() doesn't support empty sets

2020-01-06 Thread Raymond Hettinger
Raymond Hettinger added the comment: > The function literal_eval is not safe anymore as the > constructor can be intercepted "Safe" means safe from user input to literal_eval(). If a person can already write arbitrary code that redefines a builtin, then they can already do anything they wan

[issue39158] ast.literal_eval() doesn't support empty sets

2020-01-04 Thread Pablo Galindo Salgado
Pablo Galindo Salgado added the comment: > And if add support of non-literals, where should we stop? Should we support > also frozenset() and bytearray()? inf and nan? infj and nanj? complex()? > Ellipsis? __debug__? Then the name of the function would be a bit misleading (for frozenset() an

[issue39158] ast.literal_eval() doesn't support empty sets

2020-01-04 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: The documentation for ast.literal_eval(): Safely evaluate an expression node or a string containing a Python literal or container display. The string or node provided may only consist of the following Python literal structures: strings, bytes, numb

[issue39158] ast.literal_eval() doesn't support empty sets

2020-01-03 Thread Pablo Galindo Salgado
Pablo Galindo Salgado added the comment: I am re-closing the issue as I don't think is worth complicating the docs for this edge case and the security concern is non existent. Apologies for the noise. If someone feels strongly about the documentation, they can reopen the issue. -- r

[issue39158] ast.literal_eval() doesn't support empty sets

2020-01-03 Thread Pablo Galindo Salgado
Pablo Galindo Salgado added the comment: > The function literal_eval is not safe anymore as the constructor can be > intercepted: Well, actually it can also be done with any other builtin via the same trick, so this is no different but is only slightly more obvious that it can be done. I st

[issue39158] ast.literal_eval() doesn't support empty sets

2020-01-03 Thread Pablo Galindo Salgado
Pablo Galindo Salgado added the comment: The function literal_eval is not safe anymore as the constructor can be intercepted: >>> import builtins >>> def evil_code(*args): ... print("Something evil") ... >>> builtins.set = evil_code >>> import ast >>> ast.literSomething evil KeyboardInte

[issue39158] ast.literal_eval() doesn't support empty sets

2020-01-03 Thread Pablo Galindo Salgado
Change by Pablo Galindo Salgado : -- Removed message: https://bugs.python.org/msg359250 ___ Python tracker ___ ___ Python-bugs-list

[issue39158] ast.literal_eval() doesn't support empty sets

2020-01-03 Thread Pablo Galindo Salgado
Pablo Galindo Salgado added the comment: The function literal_eval is not safe anymore as the constructor can be intercepted: >>> import builtins >>> def evil_code(*args): ... print("Something evil") ... >>> builtins.set = evil_code >>> ast.literal_eval("set()") Something evil I think w

[issue39158] ast.literal_eval() doesn't support empty sets

2020-01-02 Thread Raymond Hettinger
Raymond Hettinger added the comment: New changeset 4fcf5c12a37a8d3d8d6303c44c223dbc8d568cfd by Raymond Hettinger in branch 'master': bpo-39158: ast.literal_eval() doesn't support empty sets (GH-17742) https://github.com/python/cpython/commit/4fcf5c12a37a8d3d8d6303c44c223dbc8d568cfd

[issue39158] ast.literal_eval() doesn't support empty sets

2020-01-02 Thread Raymond Hettinger
Change by Raymond Hettinger : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___ ___

[issue39158] ast.literal_eval() doesn't support empty sets

2019-12-29 Thread Raymond Hettinger
Raymond Hettinger added the comment: > set() is neither literal nor container display. Yes, that is obvious. However, we do support sets and set() is how make an empty set. It is weird to support sets but not empty sets, especially when it is so easy to do so safely. -- __

[issue39158] ast.literal_eval() doesn't support empty sets

2019-12-29 Thread Pablo Galindo Salgado
Change by Pablo Galindo Salgado : -- nosy: +pablogsal ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:/

[issue39158] ast.literal_eval() doesn't support empty sets

2019-12-29 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: set() is neither literal nor container display. -- nosy: +serhiy.storchaka ___ Python tracker ___ _

[issue39158] ast.literal_eval() doesn't support empty sets

2019-12-29 Thread Batuhan
Change by Batuhan : -- nosy: +BTaskaya type: -> enhancement ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue39158] ast.literal_eval() doesn't support empty sets

2019-12-29 Thread Raymond Hettinger
Change by Raymond Hettinger : -- keywords: +patch pull_requests: +17184 stage: -> patch review pull_request: https://github.com/python/cpython/pull/17742 ___ Python tracker __

[issue39158] ast.literal_eval() doesn't support empty sets

2019-12-29 Thread Raymond Hettinger
New submission from Raymond Hettinger : We already support sets but not empty sets. After the PR, this now works: >>> from ast import literal_eval >>> literal_eval('set()') set() If we wanted, it would be a simple matter to extend it frozensets: >>> literal_eval('frozenset({1