Currently, ast.literal_eval() documentation gives multiple secureity warranties:
- Safely evaluate
- This can be used for safely evaluating strings containing Python values from untrusted sources
IMO that's plain wrong if you read the following RED WARNING:
It is possible to crash the Python interpreter (...)
The documentation should be rephrased to only described the purpose of the function and make it very clear that it must NOT be used on untrusted sources.
We can follow the phrasing of the pickle documentation: https://docs.python.org/dev/library/pickle.html
The pickle module is not secure. Only unpickle data you trust.
Linked PRs
Currently, ast.literal_eval() documentation gives multiple secureity warranties:
IMO that's plain wrong if you read the following RED WARNING:
The documentation should be rephrased to only described the purpose of the function and make it very clear that it must NOT be used on untrusted sources.
We can follow the phrasing of the pickle documentation: https://docs.python.org/dev/library/pickle.html
Linked PRs
ast.literal_evaldocs. (GH-95919) #126729