Mercurial > p > roundup > code

diff roundup/backends/sessions_rdbms.py @ 8587:31675062230a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
feature: replace eval with ast.literal_eval Used to unmarshal session and other data. It looks like the data is all literal values.
author John Rouillard <rouilj@ieee.org>
date Mon, 20 Apr 2026 03:13:14 -0400
parents ee17f62c8341
children
line wrap: on
line diff
--- a/roundup/backends/sessions_rdbms.py	Mon Apr 20 03:09:30 2026 -0400
+++ b/roundup/backends/sessions_rdbms.py	Mon Apr 20 03:13:14 2026 -0400
@@ -5,13 +5,16 @@
 class. It's now also used for One Time Key handling too.
 """
 __docformat__ = 'restructuredtext'
+import ast
 import time
 
 from roundup.anypy.html import html_escape as escape
 from roundup.backends.sessions_common import SessionCommon
 
 def safe_eval(s):
-    return eval(s, {"__builtins__": {}}, {})
+    """Restricted eval to eval a repr of a dict of constants.
+    """
+    return ast.literal_eval(s)
 
 class BasicDatabase(SessionCommon):
     ''' Provide a nice encapsulation of an RDBMS table.
Roundup Issue Tracker: http://roundup-tracker.org/