gh-118633: Add warning regarding the unsafe usage of eval and exec (GH-118437)

DanielRuf · Eclips4 · JelleZijlstra · web-flow · commit 00e5ec0d3519 · 2024-10-30T00:36:18.000Z
* Add warning regarding the unsafe usage of eval

* Add warning regarding the unsafe usage of exec

* Move warning under parameters table

* Use suggested shorter text

Co-authored-by: Jelle Zijlstra &lt;jelle.zijlstra@gmail.com&gt;

* Use suggested shorter text

Co-authored-by: Jelle Zijlstra &lt;jelle.zijlstra@gmail.com&gt;

* Improve wording as suggested

---------

Co-authored-by: Kirill Podoprigora &lt;kirill.bast9@mail.ru&gt;
Co-authored-by: Jelle Zijlstra &lt;jelle.zijlstra@gmail.com&gt;
diff --git a/Doc/library/functions.rst b/Doc/library/functions.rst
@@ -594,6 +594,11 @@ are always available.  They are listed here in alphabetical order.
    :returns: The result of the evaluated expression.
    :raises: Syntax errors are reported as exceptions.
 
+   .. warning::
+
+      This function executes arbitrary code. Calling it with
+      user-supplied input may lead to security vulnerabilities.
+
    The *expression* argument is parsed and evaluated as a Python expression
    (technically speaking, a condition list) using the *globals* and *locals*
    mappings as global and local namespace.  If the *globals* dictionary is
@@ -650,6 +655,11 @@ are always available.  They are listed here in alphabetical order.
 
 .. function:: exec(source, /, globals=None, locals=None, *, closure=None)
 
+   .. warning::
+
+      This function executes arbitrary code. Calling it with
+      user-supplied input may lead to security vulnerabilities.
+
    This function supports dynamic execution of Python code. *source* must be
    either a string or a code object.  If it is a string, the string is parsed as
    a suite of Python statements which is then executed (unless a syntax error
