Show More
@@ -9,7 +9,7 b'' | |||||
9 |
|
9 | |||
10 | from __future__ import absolute_import |
|
10 | from __future__ import absolute_import | |
11 |
|
11 | |||
12 | import __future__ |
|
12 | import ast | |
13 | import codecs |
|
13 | import codecs | |
14 | import re as remod |
|
14 | import re as remod | |
15 | import textwrap |
|
15 | import textwrap | |
@@ -499,28 +499,7 b' def parsebool(s):' | |||||
499 | """ |
|
499 | """ | |
500 | return _booleans.get(s.lower(), None) |
|
500 | return _booleans.get(s.lower(), None) | |
501 |
|
501 | |||
502 | def evalpython(s): |
|
502 | def evalpythonliteral(s): | |
503 |
"""Evaluate a string containing a Python expression |
|
503 | """Evaluate a string containing a Python literal expression""" | |
504 |
|
504 | # We could backport our tokenizer hack to rewrite '' to u'' if we want | ||
505 | THIS FUNCTION IS NOT SAFE TO USE ON UNTRUSTED INPUT. IT'S USE SHOULD BE |
|
505 | return ast.literal_eval(s) | |
506 | LIMITED TO DEVELOPER-FACING FUNCTIONALITY. |
|
|||
507 | """ |
|
|||
508 | globs = { |
|
|||
509 | r'__builtins__': { |
|
|||
510 | r'None': None, |
|
|||
511 | r'False': False, |
|
|||
512 | r'True': True, |
|
|||
513 | r'int': int, |
|
|||
514 | r'set': set, |
|
|||
515 | r'tuple': tuple, |
|
|||
516 | # Don't need to expose dict and list because we can use |
|
|||
517 | # literals. |
|
|||
518 | }, |
|
|||
519 | } |
|
|||
520 |
|
||||
521 | # We can't use eval() directly because it inherits compiler |
|
|||
522 | # flags from this module and we need unicode literals for Python 3 |
|
|||
523 | # compatibility. |
|
|||
524 | code = compile(s, r'<string>', r'eval', |
|
|||
525 | __future__.unicode_literals.compiler_flag, True) |
|
|||
526 | return eval(code, globs, {}) |
|
@@ -180,9 +180,6 b' def makeframe(requestid, streamid, strea' | |||||
180 | def makeframefromhumanstring(s): |
|
180 | def makeframefromhumanstring(s): | |
181 | """Create a frame from a human readable string |
|
181 | """Create a frame from a human readable string | |
182 |
|
182 | |||
183 | DANGER: NOT SAFE TO USE WITH UNTRUSTED INPUT BECAUSE OF POTENTIAL |
|
|||
184 | eval() USAGE. DO NOT USE IN CORE. |
|
|||
185 |
|
||||
186 | Strings have the form: |
|
183 | Strings have the form: | |
187 |
|
184 | |||
188 | <request-id> <stream-id> <stream-flags> <type> <flags> <payload> |
|
185 | <request-id> <stream-id> <stream-flags> <type> <flags> <payload> | |
@@ -198,7 +195,7 b' def makeframefromhumanstring(s):' | |||||
198 | Flags can be delimited by `|` to bitwise OR them together. |
|
195 | Flags can be delimited by `|` to bitwise OR them together. | |
199 |
|
196 | |||
200 | If the payload begins with ``cbor:``, the following string will be |
|
197 | If the payload begins with ``cbor:``, the following string will be | |
201 |
evaluated as Python |
|
198 | evaluated as Python literal and the resulting object will be fed into | |
202 | a CBOR encoder. Otherwise, the payload is interpreted as a Python |
|
199 | a CBOR encoder. Otherwise, the payload is interpreted as a Python | |
203 | byte string literal. |
|
200 | byte string literal. | |
204 | """ |
|
201 | """ | |
@@ -229,7 +226,8 b' def makeframefromhumanstring(s):' | |||||
229 | finalflags |= int(flag) |
|
226 | finalflags |= int(flag) | |
230 |
|
227 | |||
231 | if payload.startswith(b'cbor:'): |
|
228 | if payload.startswith(b'cbor:'): | |
232 |
payload = cbor.dumps(stringutil.evalpython(payload[5:]), |
|
229 | payload = cbor.dumps(stringutil.evalpythonliteral(payload[5:]), | |
|
230 | canonical=True) | |||
233 |
|
231 | |||
234 | else: |
|
232 | else: | |
235 | payload = stringutil.unescapestr(payload) |
|
233 | payload = stringutil.unescapestr(payload) |
@@ -70,10 +70,6 b' class FrameHumanStringTests(unittest.Tes' | |||||
70 | b'\x05\x00\x00\x01\x00\x01\x00\x10:\x00\x05:\r') |
|
70 | b'\x05\x00\x00\x01\x00\x01\x00\x10:\x00\x05:\r') | |
71 |
|
71 | |||
72 | def testcborstrings(self): |
|
72 | def testcborstrings(self): | |
73 | # String literals should be unicode. |
|
|||
74 | self.assertEqual(ffs(b"1 1 0 1 0 cbor:'foo'"), |
|
|||
75 | b'\x04\x00\x00\x01\x00\x01\x00\x10cfoo') |
|
|||
76 |
|
||||
77 | self.assertEqual(ffs(b"1 1 0 1 0 cbor:b'foo'"), |
|
73 | self.assertEqual(ffs(b"1 1 0 1 0 cbor:b'foo'"), | |
78 | b'\x04\x00\x00\x01\x00\x01\x00\x10Cfoo') |
|
74 | b'\x04\x00\x00\x01\x00\x01\x00\x10Cfoo') | |
79 |
|
75 |
General Comments 0
You need to be logged in to leave comments.
Login now