bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests by serhiy-storchaka · Pull Request #22566 · python/cpython (original) (raw)
vstinner pushed a commit that referenced this pull request
`bpo-41944[: No longer call eval() on content received via HTTP in the …](/python/cpython/commit/a8bf44d04915f7366d9f8dfbf84822ac37a4bab3 "bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests (GH-22575)
Similarly to GH-22566, those tests called eval() on content received via HTTP in test_named_sequences_full. This likely isn't exploitable because unicodedata.lookup(seqname) is called before self.checkletter(seqname, None) - thus any string which isn't a valid unicode character name wouldn't ever reach the checkletter method.
Still, it's probably better to be safe than sorry.") `
[a8bf44d](/python/cpython/commit/a8bf44d04915f7366d9f8dfbf84822ac37a4bab3)
…UnicodeNames tests (GH-22575)
Similarly to GH-22566, those tests called eval() on content received via HTTP in test_named_sequences_full. This likely isn't exploitable because unicodedata.lookup(seqname) is called before self.checkletter(seqname, None) - thus any string which isn't a valid unicode character name wouldn't ever reach the checkletter method.
Still, it's probably better to be safe than sorry.