gh-118633: Add warning regarding the unsafe usage of eval and exec (GH-118437)

* Add warning regarding the unsafe usage of eval * Add warning regarding the unsafe usage of exec * Move warning under parameters table * Use suggested shorter text Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> * Use suggested shorter text Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> * Improve wording as suggested --------- Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
2024-11-24 00:38:00 +01:00 · 2024-10-30 01:36:18 +01:00 · 2024-10-30 01:36:18 +01:00 · 00e5ec0d35
commit 00e5ec0d35
parent d4b6d84cc8
1 changed files with 10 additions and 0 deletions
--- a/Doc/library/functions.rst
+++ b/Doc/library/functions.rst
@ -594,6 +594,11 @@ are always available.  They are listed here in alphabetical order.
   :returns: The result of the evaluated expression.
   :raises: Syntax errors are reported as exceptions.

+   .. warning::
+
+      This function executes arbitrary code. Calling it with
+      user-supplied input may lead to security vulnerabilities.
+
   The *expression* argument is parsed and evaluated as a Python expression
   (technically speaking, a condition list) using the *globals* and *locals*
   mappings as global and local namespace.  If the *globals* dictionary is
@ -650,6 +655,11 @@ are always available.  They are listed here in alphabetical order.

 .. function:: exec(source, /, globals=None, locals=None, *, closure=None)

+   .. warning::
+
+      This function executes arbitrary code. Calling it with
+      user-supplied input may lead to security vulnerabilities.
+
   This function supports dynamic execution of Python code. *source* must be
   either a string or a code object.  If it is a string, the string is parsed as
   a suite of Python statements which is then executed (unless a syntax error