As I see it, the unsafe callables (eval, exec, os.system, etc) are generally functions, and safe ones(int, list, dict) are generally classes, though there certainly would be exceptions. Would it be too great of a breaking change to block function callables by default? That might be an incremental step towards better security.
--Edwin On 7/11/2020 8:45 PM, Greg Ewing wrote: > On 12/07/20 8:54 am, Wes Turner wrote: >> Would it be feasible to just NOP callables when safe=True? > > This would break pickle, because calling constructors is > the way many objects are unpickled. And it's not easy to > tell which callables are safe to use as constructors and > which aren't. > _______________________________________________ Python-ideas mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/2QTTMNO5LPX6EZLUTMI3QZTNWKY5LPYD/ Code of Conduct: http://python.org/psf/codeofconduct/
