[3.12] gh-118633: Add warning regarding the unsafe usage of eval and exec (GH-118437) (#126162)

(cherry picked from commit 00e5ec0d35) Co-authored-by: Daniel Ruf <daniel@daniel-ruf.de> Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
2026-01-06 07:22:09 +00:00 · 2024-10-30 02:22:31 -04:00 · 2024-10-30 02:22:31 -04:00 · b69bb1e3fe
commit b69bb1e3fe
parent e5c7543f12
1 changed files with 10 additions and 0 deletions
--- a/Doc/library/functions.rst
+++ b/Doc/library/functions.rst
@ -588,6 +588,11 @@ are always available.  They are listed here in alphabetical order.
   :returns: The result of the evaluated expression.
   :raises: Syntax errors are reported as exceptions.

+   .. warning::
+
+      This function executes arbitrary code. Calling it with
+      user-supplied input may lead to security vulnerabilities.
+
   The *expression* argument is parsed and evaluated as a Python expression
   (technically speaking, a condition list) using the *globals* and *locals*
   dictionaries as global and local namespace.  If the *globals* dictionary is
@ -634,6 +639,11 @@ are always available.  They are listed here in alphabetical order.

 .. function:: exec(object, globals=None, locals=None, /, *, closure=None)

+   .. warning::
+
+      This function executes arbitrary code. Calling it with
+      user-supplied input may lead to security vulnerabilities.
+
   This function supports dynamic execution of Python code. *object* must be
   either a string or a code object.  If it is a string, the string is parsed as
   a suite of Python statements which is then executed (unless a syntax error