If there were a configurable allow list of "safe" types, what in the stdlib would and wouldn't be on the list?
On Sat, Jul 11, 2020, 9:16 PM Edwin Zimmerman <[email protected]> wrote: > As I see it, the unsafe callables (eval, exec, os.system, etc) are > generally functions, and safe ones(int, list, dict) are generally classes, > though there certainly would be exceptions. > Would it be too great of a breaking change to block function callables by > default? That might be an incremental step towards better security. > > --Edwin > On 7/11/2020 8:45 PM, Greg Ewing wrote: > > On 12/07/20 8:54 am, Wes Turner wrote: > >> Would it be feasible to just NOP callables when safe=True? > > > > This would break pickle, because calling constructors is > > the way many objects are unpickled. And it's not easy to > > tell which callables are safe to use as constructors and > > which aren't. > > > _______________________________________________ > Python-ideas mailing list -- [email protected] > To unsubscribe send an email to [email protected] > https://mail.python.org/mailman3/lists/python-ideas.python.org/ > Message archived at > https://mail.python.org/archives/list/[email protected]/message/2QTTMNO5LPX6EZLUTMI3QZTNWKY5LPYD/ > Code of Conduct: http://python.org/psf/codeofconduct/ >
_______________________________________________ Python-ideas mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/DCL3LWP7F5IZNKAEMQGD5KJ6PA5UKMQ6/ Code of Conduct: http://python.org/psf/codeofconduct/
