@@ -746,17 +746,16 @@ def validate_cycler(s):
746746 # might come from the internet (future plans), this
747747 # could be downright dangerous.
748748 # I locked it down by only having the 'cycler()' function
749- # available. Imports and defs should not
750- # be possible. However, it is entirely possible that
751- # a security hole could open up via attributes to the
752- # function (this is why I decided against allowing the
753- # Cycler class object just to reduce the number of
754- # degrees of freedom (but maybe it is safer to use?).
755- # One possible hole I can think of (in theory) is if
756- # someone managed to hack the cycler module. But, if
757- # someone does that, this wouldn't make anything
758- # worse because we have to import the module anyway.
759- s = eval (s , {'cycler' : cycler })
749+ # available.
750+ # UPDATE: Partly plugging a security hole.
751+ # I really should have read this:
752+ # http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
753+ # We should replace this eval with a combo of PyParsing and
754+ # ast.literal_eval()
755+ if '.__' in s .replace (' ' , '' ):
756+ raise ValueError ("'%s' seems to have dunder methods. Raising"
757+ " an exception for your safety" )
758+ s = eval (s , {'cycler' : cycler , '__builtins__' : {}})
760759 except BaseException as e :
761760 raise ValueError ("'%s' is not a valid cycler construction: %s" %
762761 (s , e ))
0 commit comments