jim-easterbrook
commented
5 years ago Is this really needed? The config files aren't really "untrusted" input. It's sensible to replace eval with float, int, or bool where appropriate though.
Closed jarvisms closed 5 years ago
jim-easterbrook
commented
5 years ago Is this really needed? The config files aren't really "untrusted" input. It's sensible to replace eval with float, int, or bool where appropriate though.
jim-easterbrook
commented
5 years ago Although bool('False') gives the wrong answer in this context.
jarvisms
commented
5 years ago True... literally. There were only two so I switched them for literal_eval too, although the underlying configparser has a getboolean method and others, it seems easier to do it this way to cope with a few other scenarios like importing tuples. I know it seems insignificant, but I was going for a bit of security by design - although I'm not committed enough to do this where the xml graph templates are involved!
Removed numerous
eval()functions with saferint(),float(),bool()orliteral_eval()from "ast" library. This was to reduce risk of executable python statements in the config files causing issues.Signed-off-by: Mark Jarvis jarvism@thisaddressdoesnotexist.co.uk