search

derek-schaefer / django-json-field

Generic JSON model and form fields.
BSD 3-Clause "New" or "Revised" License
122 stars 86 forks source link

JSONFormField should absolutely not be eval-ing user-supplied content. #18

Closed fletom closed 11 years ago

fletom commented 11 years ago

Think hiding __builtins__ helps? Nope.

(x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings').next()()._module.__builtins__
derek-schaefer commented 11 years ago

Good point, that should certainly be disabled by default. Will commit shortly.