As I see it, the unsafe callables (eval, exec, os.system, etc) are generally functions, and safe ones(int, list, dict) are generally classes, though there certainly would be exceptions. Would it be too great of a breaking change to block function callables by default? That might be an incremental step towards better security.
--Edwin On 7/11/2020 8:45 PM, Greg Ewing wrote: > On 12/07/20 8:54 am, Wes Turner wrote: >> Would it be feasible to just NOP callables when safe=True? > > This would break pickle, because calling constructors is > the way many objects are unpickled. And it's not easy to > tell which callables are safe to use as constructors and > which aren't. > _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/2QTTMNO5LPX6EZLUTMI3QZTNWKY5LPYD/ Code of Conduct: http://python.org/psf/codeofconduct/
