bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests (GH-22575)
Similarly to GH-22566, those tests called eval() on content received via HTTP in test_named_sequences_full. This likely isn't exploitable because unicodedata.lookup(seqname) is called before self.checkletter(seqname, None) - thus any string which isn't a valid unicode character name wouldn't ever reach the checkletter method. Still, it's probably better to be safe than sorry.
This commit is contained in:
parent
2ef5caa58f
commit
a8bf44d049
|
@ -7,6 +7,7 @@ Modified for Python 2.0 by Fredrik Lundh (fredrik@pythonware.com)
|
||||||
|
|
||||||
"""#"
|
"""#"
|
||||||
|
|
||||||
|
import ast
|
||||||
import unittest
|
import unittest
|
||||||
import unicodedata
|
import unicodedata
|
||||||
|
|
||||||
|
@ -24,7 +25,7 @@ class UnicodeNamesTest(unittest.TestCase):
|
||||||
# Helper that put all \N escapes inside eval'd raw strings,
|
# Helper that put all \N escapes inside eval'd raw strings,
|
||||||
# to make sure this script runs even if the compiler
|
# to make sure this script runs even if the compiler
|
||||||
# chokes on \N escapes
|
# chokes on \N escapes
|
||||||
res = eval(r'"\N{%s}"' % name)
|
res = ast.literal_eval(r'"\N{%s}"' % name)
|
||||||
self.assertEqual(res, code)
|
self.assertEqual(res, code)
|
||||||
return res
|
return res
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue