问题描述

评估为实际上并不安全吗？

Are there any known ways for ast.literal_eval(node_or_string)'s evaluation to not actually be safe?

如果是，是否可以使用补丁？

If yes, are patches available for them?

（我已经知道PyPy [sandbox]，它可能更安全，但是除非答案是肯定的，否则不会，我的需求很小，我不会走那么远。）

(I already know about PyPy[sandbox], which is presumably more secure, but unless the answers are yes then no, my needs are minor enough that I won't be going that far.)

推荐答案

指出它是安全的，并且，因此您可能会认为它是安全的。

The documentation states it is safe, and there is no bug relative to security of literal_eval in the bug tracker, so you can probably assume it is safe.

另外，根据来源，，literal_eval将字符串解析为python AST（源树），并且仅在其为文字时才返回。该代码永远不会执行，只会被解析，因此没有理由存在安全风险。

Also, according to the source, literal_eval parses the string to a python AST (source tree), and returns only if it is a literal. The code is never executed, only parsed, so there is no reason to be a security risk.

这篇关于Python 3，ast.literal_eval（node_or_string）中是否存在任何已知的安全漏洞？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！