Skip to content

Warn that overriding __builtins__ for eval is not a security mechanism #145773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
StanFromIreland wants to merge 5 commits into
base: main
Choose a base branch
from
+11 −9
Open

Warn that overriding __builtins__ for eval is not a security mechanism #145773

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
49f8d6a
Warn that overriding `__builtins__` for `eval` is not a secuirty mech…
StanFromIreland Mar 10, 2026
6baacfb
Seth's suggestion: may -> will
StanFromIreland Mar 10, 2026
d486584
Apply suggestions from code review
StanFromIreland Mar 10, 2026
f69e67c
GitHub seems to be asleep today....
StanFromIreland Mar 10, 2026
dd5330f
Add "this"
StanFromIreland Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 11 additions & 9 deletions Doc/library/functions.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -606,17 +606,18 @@ are always available. They are listed here in alphabetical order.
.. warning::

This function executes arbitrary code. Calling it with
user-supplied input may lead to security vulnerabilities.
untrusted user-supplied input will lead to security vulnerabilities.

The *source* argument is parsed and evaluated as a Python expression
(technically speaking, a condition list) using the *globals* and *locals*
mappings as global and local namespace. If the *globals* dictionary is
present and does not contain a value for the key ``__builtins__``, a
reference to the dictionary of the built-in module :mod:`builtins` is
inserted under that key before *source* is parsed. That way you can
control what builtins are available to the executed code by inserting your
own ``__builtins__`` dictionary into *globals* before passing it to
:func:`eval`. If the *locals* mapping is omitted it defaults to the
inserted under that key before *source* is parsed.
Overriding ``__builtins__`` can be used to restrict or change the available
names, but this is **not** a security mechanism: the executed code can
still access all builtins.
If the *locals* mapping is omitted it defaults to the
*globals* dictionary. If both mappings are omitted, the source is
executed with the *globals* and *locals* in the environment where
:func:`eval` is called. Note, *eval()* will only have access to the
Expand Down Expand Up @@ -671,7 +672,7 @@ are always available. They are listed here in alphabetical order.
.. warning::

This function executes arbitrary code. Calling it with
user-supplied input may lead to security vulnerabilities.
untrusted user-supplied input will lead to security vulnerabilities.

This function supports dynamic execution of Python code. *source* must be
either a string or a code object. If it is a string, the string is parsed as
Expand Down Expand Up @@ -702,9 +703,10 @@ are always available. They are listed here in alphabetical order.

If the *globals* dictionary does not contain a value for the key
``__builtins__``, a reference to the dictionary of the built-in module
:mod:`builtins` is inserted under that key. That way you can control what
builtins are available to the executed code by inserting your own
``__builtins__`` dictionary into *globals* before passing it to :func:`exec`.
:mod:`builtins` is inserted under that key.
Overriding ``__builtins__`` can be used to restrict or change the available
names, but this is **not** a security mechanism: the executed code can
still access all builtins.

The *closure* argument specifies a closure--a tuple of cellvars.
It's only valid when the *object* is a code object containing
Expand Down
Loading