Carl Ekerot added the comment:
It doesn't solve the case when an identifier or number is used as a function:
>>> import os
>>> gettext.c2py("n()")(lambda: os.system("sh"))
$
0
>>> gettext.c2py("1()")(0)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<string>", line 1, in <lambda>
TypeError: 'int' object is not callable
This is more of an unintended behavior than a security issue.
Xiang Zhang: I've created a patch based on yours which handles the above case.
I've also added a corresponding test case.
Imo it would be even better if we could avoid eval. One possible (and safe) way
would be to construct a safe subset of Python using the ast module. This would
however still require that the C-style syntax is translated to Python. As you
mention, there are issues parsing and translating nested ternary operators, and
I doubt it will be possible to cover all cases with the regex replace utilized
today.
----------
Added file: http://bugs.python.org/file45349/gettext_c2py_func.patch
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue28563>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
