diff options
| author | Florian Bruhin <me@the-compiler.org> | 2020-10-06 14:21:56 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-10-06 14:21:56 (GMT) |
| commit | a8bf44d04915f7366d9f8dfbf84822ac37a4bab3 (patch) | |
| tree | 125751f9aff69c9fcdca241b285ff0827cbf30e7 | |
| parent | 2ef5caa58febc8968e670e39e3d37cf8eef3cab8 (diff) | |
| download | cpython-a8bf44d04915f7366d9f8dfbf84822ac37a4bab3.zip cpython-a8bf44d04915f7366d9f8dfbf84822ac37a4bab3.tar.gz cpython-a8bf44d04915f7366d9f8dfbf84822ac37a4bab3.tar.bz2 | |
bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests (GH-22575)
Similarly to GH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.
Still, it's probably better to be safe than sorry.
| -rw-r--r-- | Lib/test/test_ucn.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/Lib/test/test_ucn.py b/Lib/test/test_ucn.py index e95f911..cbfd5af 100644 --- a/Lib/test/test_ucn.py +++ b/Lib/test/test_ucn.py @@ -7,6 +7,7 @@ Modified for Python 2.0 by Fredrik Lundh (fredrik@pythonware.com) """#" +import ast import unittest import unicodedata @@ -24,7 +25,7 @@ class UnicodeNamesTest(unittest.TestCase): # Helper that put all \N escapes inside eval'd raw strings, # to make sure this script runs even if the compiler # chokes on \N escapes - res = eval(r'"\N{%s}"' % name) + res = ast.literal_eval(r'"\N{%s}"' % name) self.assertEqual(res, code) return res |