Mercurial > public > mercurial-scm > hg
comparison mercurial/wireprotoframing.py @ 37476:e9dea82ea1f3
wireproto: convert python literal to object without using unsafe eval()
Follows up cc5a040fe150.
At this point, I don't think we need a real eval(). If we want to support
a set literal, maybe we can vendor ast.literal_eval(), which is relatively
simple function.
| author | Yuya Nishihara <yuya@tcha.org> |
|---|---|
| date | Sun, 08 Apr 2018 11:55:46 +0900 |
| parents | d33997123ea5 |
| children | 0b7475ea38cf |
comparison
equal
deleted
inserted
replaced
| 37475:152f1b47e0ad | 37476:e9dea82ea1f3 |
|---|---|
| 178 return frame | 178 return frame |
| 179 | 179 |
| 180 def makeframefromhumanstring(s): | 180 def makeframefromhumanstring(s): |
| 181 """Create a frame from a human readable string | 181 """Create a frame from a human readable string |
| 182 | 182 |
| 183 DANGER: NOT SAFE TO USE WITH UNTRUSTED INPUT BECAUSE OF POTENTIAL | |
| 184 eval() USAGE. DO NOT USE IN CORE. | |
| 185 | |
| 186 Strings have the form: | 183 Strings have the form: |
| 187 | 184 |
| 188 <request-id> <stream-id> <stream-flags> <type> <flags> <payload> | 185 <request-id> <stream-id> <stream-flags> <type> <flags> <payload> |
| 189 | 186 |
| 190 This can be used by user-facing applications and tests for creating | 187 This can be used by user-facing applications and tests for creating |
| 196 named constant. | 193 named constant. |
| 197 | 194 |
| 198 Flags can be delimited by `|` to bitwise OR them together. | 195 Flags can be delimited by `|` to bitwise OR them together. |
| 199 | 196 |
| 200 If the payload begins with ``cbor:``, the following string will be | 197 If the payload begins with ``cbor:``, the following string will be |
| 201 evaluated as Python code and the resulting object will be fed into | 198 evaluated as Python literal and the resulting object will be fed into |
| 202 a CBOR encoder. Otherwise, the payload is interpreted as a Python | 199 a CBOR encoder. Otherwise, the payload is interpreted as a Python |
| 203 byte string literal. | 200 byte string literal. |
| 204 """ | 201 """ |
| 205 fields = s.split(b' ', 5) | 202 fields = s.split(b' ', 5) |
| 206 requestid, streamid, streamflags, frametype, frameflags, payload = fields | 203 requestid, streamid, streamflags, frametype, frameflags, payload = fields |
| 227 finalflags |= validflags[flag] | 224 finalflags |= validflags[flag] |
| 228 else: | 225 else: |
| 229 finalflags |= int(flag) | 226 finalflags |= int(flag) |
| 230 | 227 |
| 231 if payload.startswith(b'cbor:'): | 228 if payload.startswith(b'cbor:'): |
| 232 payload = cbor.dumps(stringutil.evalpython(payload[5:]), canonical=True) | 229 payload = cbor.dumps(stringutil.evalpythonliteral(payload[5:]), |
| 230 canonical=True) | |
| 233 | 231 |
| 234 else: | 232 else: |
| 235 payload = stringutil.unescapestr(payload) | 233 payload = stringutil.unescapestr(payload) |
| 236 | 234 |
| 237 return makeframe(requestid=requestid, streamid=streamid, | 235 return makeframe(requestid=requestid, streamid=streamid, |