[reportlab-users] Fix for CVE-2019-17626 python-reportlab
Tim Roberts
timr at probo.com
Wed Dec 11 13:33:44 EST 2019
Marius Gedminas wrote:
>
> Unfortunately clearing __builtins__ is not enough to make eval() safe:
> https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
>
> Usually ast.literal_eval() is the best safe replacement if all you need
> is ints/floats/tuples/lists.
It's also worth pointing out that most Python expressions are valid JSON
objects. If your code has a JSON parser, you may be able to reuse that.
--
Tim Roberts, timr at probo.com
Providenza & Boekelheide, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3389 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://pairlist2.pair.net/pipermail/reportlab-users/attachments/20191211/5aa29eee/attachment.bin>
More information about the reportlab-users
mailing list