[reportlab-users] Fix for CVE-2019-17626 python-reportlab

Tim Roberts timr at probo.com
Wed Dec 11 13:33:44 EST 2019

Marius Gedminas wrote:
> Unfortunately clearing __builtins__ is not enough to make eval() safe:
> https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
> Usually ast.literal_eval() is the best safe replacement if all you need
> is ints/floats/tuples/lists.

It's also worth pointing out that most Python expressions are valid JSON 
objects.  If your code has a JSON parser, you may be able to reuse that.

Tim Roberts, timr at probo.com
Providenza & Boekelheide, Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3389 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://pairlist2.pair.net/pipermail/reportlab-users/attachments/20191211/5aa29eee/attachment.bin>

More information about the reportlab-users mailing list