On 6 Oct 2020, at 16:22, Florian Bruhin wrote:
> https://github.com/python/cpython/commit/a8bf44d04915f7366d9f8dfbf84822ac37a4bab3
> commit: a8bf44d04915f7366d9f8dfbf84822ac37a4bab3
> branch: master
> author: Florian Bruhin <me@the-compiler.org>
> committer: GitHub <noreply@github.com>
> date: 2020-10-06T16:21:56+02:00
> summary:
>
> bpo-41944: No longer call eval() on content received via HTTP in the
> UnicodeNames tests (GH-22575)
>
> Similarly to GH-22566, those tests called eval() on content received
> via
> HTTP in test_named_sequences_full. This likely isn't exploitable
> because
> unicodedata.lookup(seqname) is called before self.checkletter(seqname,
> None) - thus any string which isn't a valid unicode character name
> wouldn't ever reach the checkletter method.
>
> Still, it's probably better to be safe than sorry.
>
> files:
> M Lib/test/test_ucn.py
> [...]
> # Helper that put all \N escapes inside eval'd raw strings,
> # to make sure this script runs even if the compiler
> # chokes on \N escapes
> - res = eval(r'"\N{%s}"' % name)
> + res = ast.literal_eval(r'"\N{%s}"' % name)
> self.assertEqual(res, code)
> return res
It would be even simpler to use unicodedata.lookup() which returns the
unicode character when passed the name of the character, e.g.
>>> unicodedata.lookup("NO-BREAK SPACE")
'\xa0'
Servus,
Walter
> https://github.com/python/cpython/commit/a8bf44d04915f7366d9f8dfbf84822ac37a4bab3
> commit: a8bf44d04915f7366d9f8dfbf84822ac37a4bab3
> branch: master
> author: Florian Bruhin <me@the-compiler.org>
> committer: GitHub <noreply@github.com>
> date: 2020-10-06T16:21:56+02:00
> summary:
>
> bpo-41944: No longer call eval() on content received via HTTP in the
> UnicodeNames tests (GH-22575)
>
> Similarly to GH-22566, those tests called eval() on content received
> via
> HTTP in test_named_sequences_full. This likely isn't exploitable
> because
> unicodedata.lookup(seqname) is called before self.checkletter(seqname,
> None) - thus any string which isn't a valid unicode character name
> wouldn't ever reach the checkletter method.
>
> Still, it's probably better to be safe than sorry.
>
> files:
> M Lib/test/test_ucn.py
> [...]
> # Helper that put all \N escapes inside eval'd raw strings,
> # to make sure this script runs even if the compiler
> # chokes on \N escapes
> - res = eval(r'"\N{%s}"' % name)
> + res = ast.literal_eval(r'"\N{%s}"' % name)
> self.assertEqual(res, code)
> return res
It would be even simpler to use unicodedata.lookup() which returns the
unicode character when passed the name of the character, e.g.
>>> unicodedata.lookup("NO-BREAK SPACE")
'\xa0'
Servus,
Walter