summaryrefslogtreecommitdiffstats
path: root/Doc/library/ast.rst
diff options
context:
space:
mode:
Diffstat (limited to 'Doc/library/ast.rst')
-rw-r--r--Doc/library/ast.rst24
1 files changed, 16 insertions, 8 deletions
diff --git a/Doc/library/ast.rst b/Doc/library/ast.rst
index 65f69df..17ab87f 100644
--- a/Doc/library/ast.rst
+++ b/Doc/library/ast.rst
@@ -1959,20 +1959,28 @@ and classes for traversing abstract syntax trees:
.. function:: literal_eval(node_or_string)
- Safely evaluate an expression node or a string containing a Python literal or
+ Evaluate an expression node or a string containing only a Python literal or
container display. The string or node provided may only consist of the
following Python literal structures: strings, bytes, numbers, tuples, lists,
dicts, sets, booleans, ``None`` and ``Ellipsis``.
- This can be used for safely evaluating strings containing Python values from
- untrusted sources without the need to parse the values oneself. It is not
- capable of evaluating arbitrarily complex expressions, for example involving
- operators or indexing.
+ This can be used for evaluating strings containing Python values without the
+ need to parse the values oneself. It is not capable of evaluating
+ arbitrarily complex expressions, for example involving operators or
+ indexing.
+
+ This function had been documented as "safe" in the past without defining
+ what that meant. That was misleading. This is specifically designed not to
+ execute Python code, unlike the more general :func:`eval`. There is no
+ namespace, no name lookups, or ability to call out. But it is not free from
+ attack: A relatively small input can lead to memory exhaustion or to C stack
+ exhaustion, crashing the process. There is also the possibility for
+ excessive CPU consumption denial of service on some inputs. Calling it on
+ untrusted data is thus not recommended.
.. warning::
- It is possible to crash the Python interpreter with a
- sufficiently large/complex string due to stack depth limitations
- in Python's AST compiler.
+ It is possible to crash the Python interpreter due to stack depth
+ limitations in Python's AST compiler.
It can raise :exc:`ValueError`, :exc:`TypeError`, :exc:`SyntaxError`,
:exc:`MemoryError` and :exc:`RecursionError` depending on the malformed
generated by cgit v0.12 at 2024-11-30 17:36:04 (GMT)