Message 361995 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	BTaskaya
Recipients	BTaskaya, rhettinger
Date	2020-02-14.19:37:51
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<[email protected]>
In-reply-to

Content
> 1) We should document possible exceptions that need to be caught. So far, I've found TypeError, MemoryError, SyntaxError, ValueError. Maybe we should wrap all of these into something like LiteralEvalError to easily catch all of them, LiteralEvalError can be subclass of that four but I guess in some cases this change might break code. > 2) Define a size limit guaranteed not to give a MemoryError. The smallest unsafe size I've found so far is 301 characters: >>> s = "(" * 101 + ")" * 101 >>> len(s) 202 >>> ast.literal_eval(s) s_push: parser stack overflow Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/local/lib/python3.9/ast.py", line 61, in literal_eval node_or_string = parse(node_or_string, mode='eval') File "/usr/local/lib/python3.9/ast.py", line 49, in parse return compile(source, filename, mode, flags, MemoryError > 3) Consider writing a standalone expression compiler that doesn't have the same small limits as our usual compile() function. This would make literal_eval() usable for evaluating tainted inputs with bigger datasets. (Imagine if the json module could only be safely used with inputs under 301 characters). Can you explain it a bit more detailed, how does this standalone expression compiler should work?

> 1) We should document possible exceptions that need to be caught.  So far, I've found TypeError, MemoryError, SyntaxError, ValueError.

Maybe we should wrap all of these into something like LiteralEvalError to easily catch all of them, LiteralEvalError can be subclass of that four but I guess in some cases this change might break code.

> 2) Define a size limit guaranteed not to give a MemoryError.  The smallest unsafe size I've found so far is 301 characters:

>>> s = "(" * 101 + ")" * 101
>>> len(s)
202
>>> ast.literal_eval(s)
s_push: parser stack overflow
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.9/ast.py", line 61, in literal_eval
    node_or_string = parse(node_or_string, mode='eval')
  File "/usr/local/lib/python3.9/ast.py", line 49, in parse
    return compile(source, filename, mode, flags,
MemoryError

> 3) Consider writing a standalone expression compiler that doesn't have the same small limits as our usual compile() function.  This would make literal_eval() usable for evaluating tainted inputs with bigger datasets. (Imagine if the json module could only be safely used with inputs under 301 characters).

Can you explain it a bit more detailed, how does this standalone expression compiler should work?

History
Date	User	Action	Args
2020-02-14 19:37:52	BTaskaya	set	recipients: + BTaskaya, rhettinger
2020-02-14 19:37:52	BTaskaya	set	messageid: <[email protected]>
2020-02-14 19:37:52	BTaskaya	link	issue39159 messages
2020-02-14 19:37:51	BTaskaya	create