Cross-reference ast.literal_eval() from eval() docs

[kjohnson]

BPO	7935
Nosy	@birkenfeld

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2010-07-11.09:42:19.498>
created_at = <Date 2010-02-15.13:38:18.147>
labels = ['type-feature', 'docs']
title = 'Cross-reference ast.literal_eval() from eval() docs'
updated_at = <Date 2010-07-11.09:42:19.497>
user = 'https://bugs.python.org/kjohnson'

bugs.python.org fields:

activity = <Date 2010-07-11.09:42:19.497>
actor = 'georg.brandl'
assignee = 'docs@python'
closed = True
closed_date = <Date 2010-07-11.09:42:19.498>
closer = 'georg.brandl'
components = ['Documentation']
creation = <Date 2010-02-15.13:38:18.147>
creator = 'kjohnson'
dependencies = []
files = []
hgrepos = []
issue_num = 7935
keywords = []
message_count = 2.0
messages = ['99363', '109976']
nosy_count = 3.0
nosy_names = ['georg.brandl', 'kjohnson', 'docs@python']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue7935'
versions = ['Python 3.2']

[kjohnson]

eval() is a known security hole. Since Python 2.6 ast.literal_eval() provides a better alternative in many cases. literal_eval() is not as well known as eval() and not easy to find even if you know it exists (but don't remember the name).

eval() comes up over and over in the Python-tutor list and the attendant warnings are repeated ad nauseum; literal_eval() is rarely mentioned as an alternative.

Suggestion: in the docs for eval(), put a warning about security risks and a cross-reference to literal_eval(). For example:

Warning: eval() executes any expression and should be used only with trusted input. ast.literal_eval() is a safe alternative for evaluating expressions containing only Python literals.

Thanks!

[birkenfeld]

Added reference in r82805. Thanks!