On Tue, Sep 04, 2018 at 11:20:40AM +1000, Cameron Simpson wrote: > On 03Sep2018 20:58, Wes Turner <wes.tur...@gmail.com> wrote: > >So, if an application accepts user-supplied input (such as a JSON payload), > >is that data marked as non-executable? > > Unless you've hacked the JSON decoder (I think you can supply a custom > decoder for some things) all you're doing to get back is ints, strs, dicts > and lists. And floats. None of those is executable.
Strings are executable with exec and eval, but if you're calling exec on untrusted strings, you've already lost. -- Steve _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
