New submission from Larry Hastings: Peter's working on converting socket to use Argument Clinic. He had a default that really should look like this:
min(SOME_SOCKET_MODULE_CONSTANT, 128) "min" wasn't something we'd needed before. I thought about it and realized we could do a much better job of simulating the evaluation context of a shared module. Initially I thought, all I needed was to bolster the environment we used for eval() to add the builtins. (Which I've done.) But this wasn't sufficient because we deliberately used ast.literal_eval(), which doesn't support function calls by design for superior security. Or subscripting, or attribute access. We already worked around those I think. But how concerned are we about security? What is the attack vector here? If the user is able to construct an object that has a villainous __text_signature__ on it... surely they could already do as they like? So here's a first draft at modifying the __text_signature__ evaluation environment so it can handle much more sophisticated expressions. It can use anything from builtins, or anything in sys.modules, or anything in the current module; it can call functions, and subscript, and access attributes, and everything. To make this work I had to write an ast printer that produces evaluatable Python code. Note that it's not complete, I know it's not complete, it's missing loads of operators. Assume that if this is a good idea I will add all the missing operators. Nick was worried that *in the future* we might expose a "turn this string into a signature" function. That might make an easier attack vector. So he asked that the "trusted=" keyword flag be added, and the full-on eval only happen if the string is trusted. ---------- assignee: larry components: Library (Lib) files: larry.improved.signature.expressions.1.txt messages: 241140 nosy: larry, ncoghlan, pdmccormick, serhiy.storchaka, yselivanov, zach.ware priority: normal severity: normal stage: patch review status: open title: Make inspect.signature expression evaluation more powerful type: enhancement versions: Python 3.5 Added file: http://bugs.python.org/file39047/larry.improved.signature.expressions.1.txt _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue23967> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com