Issue 1722239: NamedTuple security issue (original) (raw)

It's less than a ton (how do I weight source code? g) but it's used in some modules. Personally I don't like the usage of exec/execfile and I'm always worried when I see code that utilizes it. I've created a patch that checks typename and field_names for non alphanumeric characters.

Bastion.py: exec testcode bdb.py: exec cmd in globals, locals cgi.py: exec "testing print_exception() -- italics?" code.py: exec code in self.locals collections.py: exec template in m cProfile.py: exec cmd in globals, locals doctest.py: exec compile(example.source, filename, "single", hashlib.py: exec funcName + ' = f' hashlib.py: exec funcName + ' = __get_builtin_constructor(funcName)' ihooks.py: exec code in m.dict imputil.py: exec code in module.dict pdb.py: exec code in globals, locals profile.py: exec cmd in globals, locals rexec.py: exec TEMPLATE % (m, m) rexec.py: exec code in m.dict runpy.py: exec code in run_globals site.py: exec line socket.py: exec _s % (_m, _m, _m, _m) timeit.py: exec code in globals(), ns timeit.py: exec _setup in globals(), ns trace.py: exec cmd in dict, dict trace.py: exec cmd in globals, locals

File Added: NamedTuple_55472.diff