Closed jarvisms closed 5 years ago
Is this really needed? The config files aren't really "untrusted" input. It's sensible to replace eval
with float
, int
, or bool
where appropriate though.
Although bool('False')
gives the wrong answer in this context.
True... literally. There were only two so I switched them for literal_eval
too, although the underlying configparser
has a getboolean
method and others, it seems easier to do it this way to cope with a few other scenarios like importing tuples. I know it seems insignificant, but I was going for a bit of security by design - although I'm not committed enough to do this where the xml graph templates are involved!
Removed numerous
eval()
functions with saferint()
,float()
,bool()
orliteral_eval()
from "ast
" library. This was to reduce risk of executable python statements in the config files causing issues.Signed-off-by: Mark Jarvis jarvism@thisaddressdoesnotexist.co.uk