From 5854024cc68792c2b15a7ac84a454ca4857dffbb Mon Sep 17 00:00:00 2001 From: Daniel Ruf Date: Tue, 30 Apr 2024 18:27:43 +0200 Subject: [PATCH 1/6] Add warning regarding the unsafe usage of eval --- Doc/library/functions.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Doc/library/functions.rst b/Doc/library/functions.rst index e598ef423de497..3345192ec454a3 100644 --- a/Doc/library/functions.rst +++ b/Doc/library/functions.rst @@ -562,6 +562,11 @@ are always available. They are listed here in alphabetical order. >>> eval('x+1') 2 + .. warning:: + + Because this function can be used for executing arbitrary code, it is not recommended + to pass user-supplied input, which may lead to security vulnerabilities. + This function can also be used to execute arbitrary code objects (such as those created by :func:`compile`). In this case, pass a code object instead of a string. If the code object has been compiled with ``'exec'`` as the From 05054bae8c72fa45e8108d178bdac9a0d1f68aaa Mon Sep 17 00:00:00 2001 From: Daniel Ruf Date: Mon, 6 May 2024 10:03:33 +0200 Subject: [PATCH 2/6] Add warning regarding the unsafe usage of exec --- Doc/library/functions.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Doc/library/functions.rst b/Doc/library/functions.rst index 3345192ec454a3..909de9fd06db4b 100644 --- a/Doc/library/functions.rst +++ b/Doc/library/functions.rst @@ -592,6 +592,11 @@ are always available. They are listed here in alphabetical order. .. function:: exec(object, globals=None, locals=None, /, *, closure=None) + .. warning:: + + Because this function can be used for executing arbitrary code, it is not recommended + to pass user-supplied input, which may lead to security vulnerabilities. + This function supports dynamic execution of Python code. *object* must be either a string or a code object. If it is a string, the string is parsed as a suite of Python statements which is then executed (unless a syntax error From 0f3cfcdd69d5fa26d45059c70999c0a2bd6bc129 Mon Sep 17 00:00:00 2001 From: Daniel Ruf Date: Mon, 6 May 2024 18:42:31 +0200 Subject: [PATCH 3/6] Move warning under parameters table --- Doc/library/functions.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Doc/library/functions.rst b/Doc/library/functions.rst index 909de9fd06db4b..c73d3591f59151 100644 --- a/Doc/library/functions.rst +++ b/Doc/library/functions.rst @@ -541,6 +541,11 @@ are always available. They are listed here in alphabetical order. :returns: The result of the evaluated expression. :raises: Syntax errors are reported as exceptions. + .. warning:: + + Because this function can be used for executing arbitrary code, it is not recommended + to pass user-supplied input, which may lead to security vulnerabilities. + The *expression* argument is parsed and evaluated as a Python expression (technically speaking, a condition list) using the *globals* and *locals* dictionaries as global and local namespace. If the *globals* dictionary is @@ -562,11 +567,6 @@ are always available. They are listed here in alphabetical order. >>> eval('x+1') 2 - .. warning:: - - Because this function can be used for executing arbitrary code, it is not recommended - to pass user-supplied input, which may lead to security vulnerabilities. - This function can also be used to execute arbitrary code objects (such as those created by :func:`compile`). In this case, pass a code object instead of a string. If the code object has been compiled with ``'exec'`` as the From 2d37c80642ccdb6367429b589e0b5e1c7f817b94 Mon Sep 17 00:00:00 2001 From: Daniel Ruf Date: Tue, 7 May 2024 08:41:01 +0200 Subject: [PATCH 4/6] Use suggested shorter text Co-authored-by: Jelle Zijlstra --- Doc/library/functions.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Doc/library/functions.rst b/Doc/library/functions.rst index f91ac51f16f58c..9ba6d2887f12f7 100644 --- a/Doc/library/functions.rst +++ b/Doc/library/functions.rst @@ -598,8 +598,8 @@ are always available. They are listed here in alphabetical order. .. warning:: - Because this function can be used for executing arbitrary code, it is not recommended - to pass user-supplied input, which may lead to security vulnerabilities. + This function can execute arbitrary code. Calling it with + user-supplied input may lead to security vulnerabilities. This function supports dynamic execution of Python code. *source* must be either a string or a code object. If it is a string, the string is parsed as From 32937684dbd50b741b2df5c17996ce37bb915acc Mon Sep 17 00:00:00 2001 From: Daniel Ruf Date: Tue, 7 May 2024 08:41:25 +0200 Subject: [PATCH 5/6] Use suggested shorter text Co-authored-by: Jelle Zijlstra --- Doc/library/functions.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Doc/library/functions.rst b/Doc/library/functions.rst index 9ba6d2887f12f7..a1f4cbf1ae8ec9 100644 --- a/Doc/library/functions.rst +++ b/Doc/library/functions.rst @@ -543,8 +543,8 @@ are always available. They are listed here in alphabetical order. .. warning:: - Because this function can be used for executing arbitrary code, it is not recommended - to pass user-supplied input, which may lead to security vulnerabilities. + This function can execute arbitrary code. Calling it with + user-supplied input may lead to security vulnerabilities. The *expression* argument is parsed and evaluated as a Python expression (technically speaking, a condition list) using the *globals* and *locals* From 4c96fe2b1ac8f736a2e77ac10c51622ce3c0dcc7 Mon Sep 17 00:00:00 2001 From: Daniel Ruf Date: Tue, 7 May 2024 21:18:42 +0200 Subject: [PATCH 6/6] Improve wording as suggested --- Doc/library/functions.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Doc/library/functions.rst b/Doc/library/functions.rst index a1f4cbf1ae8ec9..a48ba5369dfeda 100644 --- a/Doc/library/functions.rst +++ b/Doc/library/functions.rst @@ -543,7 +543,7 @@ are always available. They are listed here in alphabetical order. .. warning:: - This function can execute arbitrary code. Calling it with + This function executes arbitrary code. Calling it with user-supplied input may lead to security vulnerabilities. The *expression* argument is parsed and evaluated as a Python expression @@ -598,7 +598,7 @@ are always available. They are listed here in alphabetical order. .. warning:: - This function can execute arbitrary code. Calling it with + This function executes arbitrary code. Calling it with user-supplied input may lead to security vulnerabilities. This function supports dynamic execution of Python code. *source* must be