From 343a7a62595fa50e3e53eaca9c4b0a8de97ef714 Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-islington@users.noreply.github.com> Date: Wed, 30 Oct 2024 01:49:18 +0100 Subject: [PATCH] [3.13] gh-118633: Add warning regarding the unsafe usage of eval and exec (GH-118437) (#126161) gh-118633: Add warning regarding the unsafe usage of eval and exec (GH-118437) * Add warning regarding the unsafe usage of eval * Add warning regarding the unsafe usage of exec * Move warning under parameters table * Use suggested shorter text * Use suggested shorter text * Improve wording as suggested --------- (cherry picked from commit 00e5ec0d35193c1665e5c0cfe5ef82eed270d0f4) Co-authored-by: Daniel Ruf Co-authored-by: Kirill Podoprigora Co-authored-by: Jelle Zijlstra --- Doc/library/functions.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Doc/library/functions.rst b/Doc/library/functions.rst index e388cbb5b6fc..5f1429a458eb 100644 --- a/Doc/library/functions.rst +++ b/Doc/library/functions.rst @@ -588,6 +588,11 @@ are always available. They are listed here in alphabetical order. :returns: The result of the evaluated expression. :raises: Syntax errors are reported as exceptions. + .. warning:: + + This function executes arbitrary code. Calling it with + user-supplied input may lead to security vulnerabilities. + The *expression* argument is parsed and evaluated as a Python expression (technically speaking, a condition list) using the *globals* and *locals* mappings as global and local namespace. If the *globals* dictionary is @@ -644,6 +649,11 @@ are always available. They are listed here in alphabetical order. .. function:: exec(source, /, globals=None, locals=None, *, closure=None) + .. warning:: + + This function executes arbitrary code. Calling it with + user-supplied input may lead to security vulnerabilities. + This function supports dynamic execution of Python code. *source* must be either a string or a code object. If it is a string, the string is parsed as a suite of Python statements which is then executed (unless a syntax error -- 2.47.3