Hugo Geoffroy added the comment: I would like to point out that the changes in `ast.literal_eval` may have some security risk for code that do not expect this function to return an object with user-controlled length (for example, with `2**32*'X'`). AFAIK, this is not possible with the current version of `literal_eval`.
At least [this library](https://pypi.python.org/pypi/serpent) would have a serious risk of remote DoS : > Because it only serializes literals and recreates the objects using > ast.literal_eval(), the serialized data is safe to transport to other > machines (over the network for instance) and de-serialize it there. Sorry for the noise if this is a useless/incorrect consideration. ---------- nosy: +pstch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue11549> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
