On Tue, Nov 7, 2017 at 6:26 PM, Steven D'Aprano <st...@pearwood.info> wrote:
> On Tue, Nov 07, 2017 at 01:53:00PM -0800, Guido van Rossum wrote: > > On Tue, Nov 7, 2017 at 2:29 AM, אלעזר <elaz...@gmail.com> wrote: > > > > > The dangers of eval and exec are obvious and well known to advanced > users, > > > but the availability as built-in functions makes it too tempting for > > > beginners or even medium-level programmers. > > > > > > > I find it dubious to claim that these functions are dangerous to > beginners. > > I don't think its so much that eval/exec are in themselves dangerous > to beginners as that their easy availability as builtins encourages bad > habits that can last long after the programmer is no longer a beginner. > > I know the Python ecosystem is not quite the wild west as PHP and > Javascript sometimes is, but code injection attacks do exist: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9807 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9802 > > Sometimes they're written by beginners whose code isn't being reviewed > carefully enough, and sometimes they're written by experienced coders > who have simply learned bad habits and haven't learned better. > > I don't want to scare people away from using eval/exec, but it would be > great if we could gently encourage them to think before using them, and > to prefer literal_eval instead. > Sure, I'm all for making sure the documentation is clear. But the proposal at hand is to remove them from the builtins, and I don't see the situation as grave as needing that. -- --Guido van Rossum (python.org/~guido)
_______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
