Use ast.literal_eval() instead of eval() when possible.

It's unlikely to change anything, but a little more safety
does not hurt.
This commit is contained in:
Valentin Lorentz 2017-02-25 13:10:33 +01:00
parent 8bae847682
commit dab026169f
2 changed files with 12 additions and 7 deletions

View File

@ -516,15 +516,15 @@ class IrcUserCreator(Creator):
def ignore(self, rest, lineno): def ignore(self, rest, lineno):
self._checkId() self._checkId()
self.u.ignore = bool(eval(rest)) self.u.ignore = bool(utils.gen.safeEval(rest))
def secure(self, rest, lineno): def secure(self, rest, lineno):
self._checkId() self._checkId()
self.u.secure = bool(eval(rest)) self.u.secure = bool(utils.gen.safeEval(rest))
def hashed(self, rest, lineno): def hashed(self, rest, lineno):
self._checkId() self._checkId()
self.u.hashed = bool(eval(rest)) self.u.hashed = bool(utils.gen.safeEval(rest))
def password(self, rest, lineno): def password(self, rest, lineno):
self._checkId() self._checkId()
@ -580,11 +580,11 @@ class IrcChannelCreator(Creator):
def lobotomized(self, rest, lineno): def lobotomized(self, rest, lineno):
self._checkId() self._checkId()
self.c.lobotomized = bool(eval(rest)) self.c.lobotomized = bool(utils.gen.safeEval(rest))
def defaultallow(self, rest, lineno): def defaultallow(self, rest, lineno):
self._checkId() self._checkId()
self.c.defaultAllow = bool(eval(rest)) self.c.defaultAllow = bool(utils.gen.safeEval(rest))
def capability(self, rest, lineno): def capability(self, rest, lineno):
self._checkId() self._checkId()

View File

@ -165,7 +165,7 @@ def saltHash(password, salt=None, hash='sha'):
return '|'.join([salt, hasher((salt + password).encode('utf8')).hexdigest()]) return '|'.join([salt, hasher((salt + password).encode('utf8')).hexdigest()])
_astStr2 = ast.Str if minisix.PY2 else ast.Bytes _astStr2 = ast.Str if minisix.PY2 else ast.Bytes
def safeEval(s, namespace={'True': True, 'False': False, 'None': None}): def safeEval(s, namespace=None):
"""Evaluates s, safely. Useful for turning strings into tuples/lists/etc. """Evaluates s, safely. Useful for turning strings into tuples/lists/etc.
without unsafely using eval().""" without unsafely using eval()."""
try: try:
@ -196,7 +196,12 @@ def safeEval(s, namespace={'True': True, 'False': False, 'None': None}):
else: else:
return False return False
if checkNode(node): if checkNode(node):
if namespace is None:
return eval(s, namespace, namespace) return eval(s, namespace, namespace)
else:
# Probably equivalent to eval() because checkNode(node) is True,
# but it's an extra security.
return ast.literal_eval(node)
else: else:
raise ValueError(format('Unsafe string: %q', s)) raise ValueError(format('Unsafe string: %q', s))