Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ast.literal_eval is still referred to as safe by the documentation for eval #100305

Open
Zephyrkul opened this issue Dec 16, 2022 · 7 comments
Open

ast.literal_eval is still referred to as safe by the documentation for eval #100305

Zephyrkul opened this issue Dec 16, 2022 · 7 comments
Labels
docs Documentation in the Doc dir

Comments

@Zephyrkul
Copy link

Zephyrkul commented Dec 16, 2022
edited by bedevere-bot
Loading

Documentation

From https://docs.python.org/3/library/functions.html#eval:

See ast.literal_eval() for a function that can safely evaluate strings with expressions containing only literals.

Linked PRs
@Zephyrkul Zephyrkul added the docs Documentation in the Doc dir label Dec 16, 2022
@ramvikrams
Copy link
Contributor

Could you please elabourate about it, I would like to work on this but I can't get what the issue is trying to say.

@pochmann
Copy link
Contributor

@ramvikrams Have you read literal_eval's documentation?

@ramvikrams
Copy link
Contributor

ramvikrams commented Dec 17, 2022
edited
Loading

@ramvikrams Have you read literal_eval's documentation?

yes, I read it now earlier I read ast.literal_eval from a different source I saw there was a warning there I'll put the warning in the eval documentation

@Zephyrkul
Copy link
Author

Zephyrkul commented Dec 17, 2022
edited
Loading

Could you please elabourate about it, I would like to work on this but I can't get what the issue is trying to say.

From the docs for literal_eval:

This function had been documented as “safe” in the past without defining what that meant. That was misleading.... [It] is not free from attack.

Python 3.11 changed the documentation to no longer refer to the function as "safe" due to the misleading vagueness of the term (see #95588), but this entry under eval() seems to have been missed.

@ramvikrams
Copy link
Contributor

Could you please elabourate about it, I would like to work on this but I can't get what the issue is trying to say.

From the docs for literal_eval:

This function had been documented as “safe” in the past without defining what that meant. That was misleading.... [It] is not free from attack.

Python 3.11 changed the documentation to no longer refer to the function as "safe" due to the misleading vagueness of the term (see #95588), but this entry under eval() seems to have been missed.

thanks i'll change it

@ramvikrams ramvikrams mentioned this issue Dec 17, 2022
Open
@pochmann
Copy link
Contributor

pochmann commented Dec 18, 2022
edited
Loading

Your proposed replacement text looks weirdly out of place and negative to me:

ast.literal_eval is no longer marked as safe for evaluating strings with expressions containing only literals. For further information, please check the documentation for ast.literal_eval

I'd wonder why it's suddenly talking about some other function as if the reader knew about it already, as if it had been pointed out before.

I'd just weaken the "safely", like (adding "more")

See ast.literal_eval() for a function that can more safely evaluate strings with expressions containing only literals.

or (adding quote characters):

See ast.literal_eval() for a function that can "safely" evaluate strings with expressions containing only literals.

These keep introducing it properly and keep the positive tone.

And in my opinion there's no need for the extra sentence telling the reader to read the documentation for details, that's what one does anyway.

@ramvikrams
Copy link
Contributor

Yeah I'll do that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Documentation in the Doc dir
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pochmann @Zephyrkul @ramvikrams