Skip to content

Warn that overriding __builtins__ for eval is not a security mechanism#145773

Open
StanFromIreland wants to merge 2 commits intopython:mainfrom
StanFromIreland:eval_sec
Open

Warn that overriding __builtins__ for eval is not a security mechanism#145773
StanFromIreland wants to merge 2 commits intopython:mainfrom
StanFromIreland:eval_sec

Conversation

@StanFromIreland
Copy link
Member

@StanFromIreland StanFromIreland commented Mar 10, 2026
edited
Loading

This misleads users as it gives the impression that the above warning can be ignored.

📚 Documentation preview 📚: https://cpython-previews--145773.org.readthedocs.build/

@bedevere-app bedevere-app bot added docs Documentation in the Doc dir skip news awaiting review labels Mar 10, 2026
@github-project-automation github-project-automation bot moved this to Todo in Docs PRs Mar 10, 2026
sethmlarson
sethmlarson approved these changes Mar 10, 2026
View reviewed changes
Copy link
Contributor

@sethmlarson sethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you!

@scottshambaugh scottshambaugh mentioned this pull request Mar 10, 2026
Open
1 task
nedbat
nedbat reviewed Mar 10, 2026
View reviewed changes
Doc/library/functions.rst

This function executes arbitrary code. Calling it with
user-supplied input may lead to security vulnerabilities.
user-supplied input will lead to security vulnerabilities.
Copy link
Member

@nedbat nedbat Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
user-supplied input will lead to security vulnerabilities.
un-trusted user-supplied input can easily lead to security vulnerabilities.

Copy link
Member Author

@StanFromIreland StanFromIreland Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are generally trying to strengthen the warning (we held a little vote, people are in favour), but IMO this suggestion reverts that. Might I ask why exactly you want it to be so?

nedbat
nedbat reviewed Mar 10, 2026
View reviewed changes
Doc/library/functions.rst
Comment on lines +708 to +709
names, but it is **not** a security mechanism, the executed code can
still access builtins.
Copy link
Member

@nedbat nedbat Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
names, but it is **not** a security mechanism, the executed code can
still access builtins.
names, but is **not** a security mechanism: the executed code can
still access all builtins.

nedbat
nedbat reviewed Mar 10, 2026
View reviewed changes
Doc/library/functions.rst
Comment on lines +618 to +619
names, but it is **not** a security mechanism, the executed code can
still access builtins.
Copy link
Member

@nedbat nedbat Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
names, but it is **not** a security mechanism, the executed code can
still access builtins.
names, but this is **not** a security mechanism: the executed code can
still access all builtins.

nedbat
nedbat reviewed Mar 10, 2026
View reviewed changes
Doc/library/functions.rst

This function executes arbitrary code. Calling it with
user-supplied input may lead to security vulnerabilities.
user-supplied input will lead to security vulnerabilities.
Copy link
Member

@nedbat nedbat Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
user-supplied input will lead to security vulnerabilities.
un-trusted user-supplied input can easily lead to security vulnerabilities.

@picnixz
Copy link
Member

picnixz commented Mar 10, 2026
edited
Loading

I'm always torn when we change these kind of notes. I don't agree that this will lead to security vulnerabilities. It depends on your threat model. So the "may"/"can" formulation is for me the correct one.

What I do find correct however is that untrusted input can lead to security vulnerabilities. I would honestly drop the "easily" part as again it depends on where the untrusted input comes from. For instance, the user can supply an arbitrary string, and that arbitrary string is processed with (highly non-trivial, but still polynomial-time evaluable) reversible transformations that eventually output a string that is then evaled. In this case, you can consider that you have a security vulnerability, but not necessarily "easily" achievable (but still achievable if you spend time to reverse the transformations).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nedbat nedbat nedbat left review comments

@sethmlarson sethmlarson sethmlarson approved these changes

@johnslavik johnslavik johnslavik approved these changes

Assignees

No one assigned

Labels

awaiting core review docs Documentation in the Doc dir skip issue skip news type-security A security issue

Projects

Docs PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@StanFromIreland @picnixz @nedbat @sethmlarson @johnslavik