From 90d62ab0a175b8f3451ee74f29d5de83650e2292 Mon Sep 17 00:00:00 2001
From: Guido van Rossum <guido@python.org>
Date: Wed, 10 Dec 1997 22:35:02 +0000
Subject: Since this module is used as a fallback in case no built-in modules
 have been configured, string.atof() should not fail when "import re" fails
 (usually because pcre is not there).

This opens up a tiny security hole: *if* an attacker can make "import
re" fail, they can also make string.atof(arbitrary_string) evaluate
the arbitrary string.  Nothing to keep me awake at night...
---
 Lib/string.py    | 10 +++++++---
 Lib/stringold.py | 10 +++++++---
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/Lib/string.py b/Lib/string.py
index 2139a75..8c64952 100644
--- a/Lib/string.py
+++ b/Lib/string.py
@@ -203,7 +203,11 @@ re = None
 def atof(str):
 	global re
 	if re is None:
-		import re
+		# Don't fail if re doesn't exist -- just skip the syntax check
+		try:
+			import re
+		except ImportError:
+			re = 0
 	sign = ''
 	s = strip(str)
 	if s and s[0] in '+-':
@@ -212,10 +216,10 @@ def atof(str):
 	if not s:
 		raise ValueError, 'non-float argument to string.atof'
 	while s[0] == '0' and len(s) > 1 and s[1] in digits: s = s[1:]
-	if not re.match('[0-9]*(\.[0-9]*)?([eE][-+]?[0-9]+)?$', s):
+	if re and not re.match('[0-9]*(\.[0-9]*)?([eE][-+]?[0-9]+)?$', s):
 		raise ValueError, 'non-float argument to string.atof'
 	try:
-		return float(eval(sign + s))
+		return float(eval(sign + s, {}))
 	except SyntaxError:
 		raise ValueError, 'non-float argument to string.atof'
 
diff --git a/Lib/stringold.py b/Lib/stringold.py
index 2139a75..8c64952 100644
--- a/Lib/stringold.py
+++ b/Lib/stringold.py
@@ -203,7 +203,11 @@ re = None
 def atof(str):
 	global re
 	if re is None:
-		import re
+		# Don't fail if re doesn't exist -- just skip the syntax check
+		try:
+			import re
+		except ImportError:
+			re = 0
 	sign = ''
 	s = strip(str)
 	if s and s[0] in '+-':
@@ -212,10 +216,10 @@ def atof(str):
 	if not s:
 		raise ValueError, 'non-float argument to string.atof'
 	while s[0] == '0' and len(s) > 1 and s[1] in digits: s = s[1:]
-	if not re.match('[0-9]*(\.[0-9]*)?([eE][-+]?[0-9]+)?$', s):
+	if re and not re.match('[0-9]*(\.[0-9]*)?([eE][-+]?[0-9]+)?$', s):
 		raise ValueError, 'non-float argument to string.atof'
 	try:
-		return float(eval(sign + s))
+		return float(eval(sign + s, {}))
 	except SyntaxError:
 		raise ValueError, 'non-float argument to string.atof'
 
-- 
cgit v0.12