Mercurial > public > mercurial-scm > hg-stable

diff mercurial/utils/stringutil.py @ 37476:e9dea82ea1f3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
wireproto: convert python literal to object without using unsafe eval() Follows up cc5a040fe150. At this point, I don't think we need a real eval(). If we want to support a set literal, maybe we can vendor ast.literal_eval(), which is relatively simple function.
author Yuya Nishihara <yuya@tcha.org>
date Sun, 08 Apr 2018 11:55:46 +0900
parents a67fd1fe5109
children 68132a95df31
line wrap: on
line diff
--- a/mercurial/utils/stringutil.py	Sun Apr 08 12:30:59 2018 +0900
+++ b/mercurial/utils/stringutil.py	Sun Apr 08 11:55:46 2018 +0900
@@ -9,7 +9,7 @@
 
 from __future__ import absolute_import
 
-import __future__
+import ast
 import codecs
 import re as remod
 import textwrap
@@ -499,28 +499,7 @@
     """
     return _booleans.get(s.lower(), None)
 
-def evalpython(s):
-    """Evaluate a string containing a Python expression.
-
-    THIS FUNCTION IS NOT SAFE TO USE ON UNTRUSTED INPUT. IT'S USE SHOULD BE
-    LIMITED TO DEVELOPER-FACING FUNCTIONALITY.
-    """
-    globs = {
-        r'__builtins__': {
-            r'None': None,
-            r'False': False,
-            r'True': True,
-            r'int': int,
-            r'set': set,
-            r'tuple': tuple,
-            # Don't need to expose dict and list because we can use
-            # literals.
-        },
-    }
-
-    # We can't use eval() directly because it inherits compiler
-    # flags from this module and we need unicode literals for Python 3
-    # compatibility.
-    code = compile(s, r'<string>', r'eval',
-                   __future__.unicode_literals.compiler_flag, True)
-    return eval(code, globs, {})
+def evalpythonliteral(s):
+    """Evaluate a string containing a Python literal expression"""
+    # We could backport our tokenizer hack to rewrite '' to u'' if we want
+    return ast.literal_eval(s)