Code review updates

scottshambaugh · scottshambaugh · commit e01b8a49314a · 2026-03-26T15:10:29.000-06:00
diff --git a/doc/api/next_api_changes/deprecations/31248-SS.rst b/doc/api/next_api_changes/deprecations/31248-SS.rst
@@ -1,7 +1,9 @@
 Arbitrary code in ``axes.prop_cycle`` rcParam strings
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The ``axes.prop_cycle`` rcParam previously accepted arbitrary Python
-expressions by passing the string to ``eval()``. This is deprecated immediately
-without replacement for security reasons. The previously documented cycler
-operations at https://matplotlib.org/cycler/ are still supported.
+The ``axes.prop_cycle`` rcParam accepts Python expressions that are evaluated
+in a limited context.  The evaluation context has been further limited and some
+expressions that previously worked (list comprehensions, for example) no longer
+will. This change is made without a deprecation period to improve security.
+The previously documented cycler operations at
+https://matplotlib.org/cycler/ are still supported.
diff --git a/doc/release/next_whats_new/cycler_rcparam_security.rst b/doc/release/next_whats_new/cycler_rcparam_security.rst
@@ -1,10 +1,10 @@
-``axes.prop_cycle`` rcParam must be literal
---------------------------------------------
+``axes.prop_cycle`` rcParam security improvements
+-------------------------------------------------
 
-The ``axes.prop_cycle`` rcParam is now parsed safely without ``eval()``. Only
-literal ``cycler()`` and ``concat()`` calls combined with ``+``, ``*``, and
-slicing are allowed. All previously valid cycler strings continue to work,
-for example:
+The ``axes.prop_cycle`` rcParam is now parsed in a safer and more restricted
+manner. Only literals, ``cycler()`` and ``concat()`` calls, the operators
+``+`` and ``*``, and slicing are allowed. All previously valid cycler strings
+documented at https://matplotlib.org/cycler/ are still supported, for example:
 
 .. code-block:: none
 
diff --git a/lib/matplotlib/tests/test_rcparams.py b/lib/matplotlib/tests/test_rcparams.py
@@ -276,6 +276,7 @@ def generate_validator_testcases(valid):
                      (cycler(mew=[2, 5]),
                       cycler('markeredgewidth', [2, 5])),
                      ("2 * cycler('color', 'rgb')", 2 * cycler('color', 'rgb')),
+                     ("2 * cycler('color', 'r' + 'gb')", 2 * cycler('color', 'rgb')),
                      ("cycler('color', 'rgb') * 2", cycler('color', 'rgb') * 2),
                      ("concat(cycler('color', 'rgb'), cycler('color', 'cmk'))",
                       cycler('color', list('rgbcmk'))),
@@ -287,6 +288,8 @@ def generate_validator_testcases(valid):
          # cycler expressions are accepted.
          'fail': ((4, ValueError),  # Gotta be a string or Cycler object
                   ('cycler("bleh, [])', ValueError),  # syntax error
+                  ("cycler('color', 'rgb') * * cycler('color', 'rgb')",  # syntax error
+                  ValueError),
                   ('Cycler("linewidth", [1, 2, 3])',
                    ValueError),  # only 'cycler()' function is allowed
                   # do not allow dunder in string literals
