Show More
| @@ -9,7 +9,7 | |||
|
|
9 | 9 | |
|
|
10 | 10 | from __future__ import absolute_import |
|
|
11 | 11 | |
|
|
12 | import __future__ | |
|
|
12 | import ast | |
|
|
13 | 13 | import codecs |
|
|
14 | 14 | import re as remod |
|
|
15 | 15 | import textwrap |
| @@ -499,28 +499,7 def parsebool(s): | |||
|
|
499 | 499 | """ |
|
|
500 | 500 | return _booleans.get(s.lower(), None) |
|
|
501 | 501 | |
|
|
502 | def evalpython(s): | |
|
|
503 |
"""Evaluate a string containing a Python expression |
|
|
|
504 | ||
|
|
505 | THIS FUNCTION IS NOT SAFE TO USE ON UNTRUSTED INPUT. IT'S USE SHOULD BE | |
|
|
506 | LIMITED TO DEVELOPER-FACING FUNCTIONALITY. | |
|
|
507 | """ | |
|
|
508 | globs = { | |
|
|
509 | r'__builtins__': { | |
|
|
510 | r'None': None, | |
|
|
511 | r'False': False, | |
|
|
512 | r'True': True, | |
|
|
513 | r'int': int, | |
|
|
514 | r'set': set, | |
|
|
515 | r'tuple': tuple, | |
|
|
516 | # Don't need to expose dict and list because we can use | |
|
|
517 | # literals. | |
|
|
518 | }, | |
|
|
519 | } | |
|
|
520 | ||
|
|
521 | # We can't use eval() directly because it inherits compiler | |
|
|
522 | # flags from this module and we need unicode literals for Python 3 | |
|
|
523 | # compatibility. | |
|
|
524 | code = compile(s, r'<string>', r'eval', | |
|
|
525 | __future__.unicode_literals.compiler_flag, True) | |
|
|
526 | return eval(code, globs, {}) | |
|
|
502 | def evalpythonliteral(s): | |
|
|
503 | """Evaluate a string containing a Python literal expression""" | |
|
|
504 | # We could backport our tokenizer hack to rewrite '' to u'' if we want | |
|
|
505 | return ast.literal_eval(s) | |
| @@ -180,9 +180,6 def makeframe(requestid, streamid, strea | |||
|
|
180 | 180 | def makeframefromhumanstring(s): |
|
|
181 | 181 | """Create a frame from a human readable string |
|
|
182 | 182 | |
|
|
183 | DANGER: NOT SAFE TO USE WITH UNTRUSTED INPUT BECAUSE OF POTENTIAL | |
|
|
184 | eval() USAGE. DO NOT USE IN CORE. | |
|
|
185 | ||
|
|
186 | 183 | Strings have the form: |
|
|
187 | 184 | |
|
|
188 | 185 | <request-id> <stream-id> <stream-flags> <type> <flags> <payload> |
| @@ -198,7 +195,7 def makeframefromhumanstring(s): | |||
|
|
198 | 195 | Flags can be delimited by `|` to bitwise OR them together. |
|
|
199 | 196 | |
|
|
200 | 197 | If the payload begins with ``cbor:``, the following string will be |
|
|
201 |
evaluated as Python |
|
|
|
198 | evaluated as Python literal and the resulting object will be fed into | |
|
|
202 | 199 | a CBOR encoder. Otherwise, the payload is interpreted as a Python |
|
|
203 | 200 | byte string literal. |
|
|
204 | 201 | """ |
| @@ -229,7 +226,8 def makeframefromhumanstring(s): | |||
|
|
229 | 226 | finalflags |= int(flag) |
|
|
230 | 227 | |
|
|
231 | 228 | if payload.startswith(b'cbor:'): |
|
|
232 |
payload = cbor.dumps(stringutil.evalpython(payload[5:]), |
|
|
|
229 | payload = cbor.dumps(stringutil.evalpythonliteral(payload[5:]), | |
|
|
230 | canonical=True) | |
|
|
233 | 231 | |
|
|
234 | 232 | else: |
|
|
235 | 233 | payload = stringutil.unescapestr(payload) |
| @@ -70,10 +70,6 class FrameHumanStringTests(unittest.Tes | |||
|
|
70 | 70 | b'\x05\x00\x00\x01\x00\x01\x00\x10:\x00\x05:\r') |
|
|
71 | 71 | |
|
|
72 | 72 | def testcborstrings(self): |
|
|
73 | # String literals should be unicode. | |
|
|
74 | self.assertEqual(ffs(b"1 1 0 1 0 cbor:'foo'"), | |
|
|
75 | b'\x04\x00\x00\x01\x00\x01\x00\x10cfoo') | |
|
|
76 | ||
|
|
77 | 73 | self.assertEqual(ffs(b"1 1 0 1 0 cbor:b'foo'"), |
|
|
78 | 74 | b'\x04\x00\x00\x01\x00\x01\x00\x10Cfoo') |
|
|
79 | 75 | |
General Comments 0
You need to be logged in to leave comments.
Login now