Merge pull request #21561 from meeseeksmachine/auto-backport-of-pr-21555-on-v3.5.x

jklymak · web-flow · commit ed2b1d046984 · 2021-11-08T04:06:39.000+01:00
diff --git a/lib/matplotlib/rcsetup.py b/lib/matplotlib/rcsetup.py
@@ -700,6 +700,13 @@ def cycler(*args, **kwargs):
     return reduce(operator.add, (ccycler(k, v) for k, v in validated))
 
 
+class _DunderChecker(ast.NodeVisitor):
+    def visit_Attribute(self, node):
+        if node.attr.startswith("__") and node.attr.endswith("__"):
+            raise ValueError("cycler strings with dunders are forbidden")
+        self.generic_visit(node)
+
+
 def validate_cycler(s):
     """Return a Cycler object from a string repr or the object itself."""
     if isinstance(s, str):
@@ -715,9 +722,7 @@ def validate_cycler(s):
         # We should replace this eval with a combo of PyParsing and
         # ast.literal_eval()
         try:
-            if '.__' in s.replace(' ', ''):
-                raise ValueError("'%s' seems to have dunder methods. Raising"
-                                 " an exception for your safety")
+            _DunderChecker().visit(ast.parse(s))
             s = eval(s, {'cycler': cycler, '__builtins__': {}})
         except BaseException as e:
             raise ValueError("'%s' is not a valid cycler construction: %s" %
diff --git a/lib/matplotlib/tests/test_rcparams.py b/lib/matplotlib/tests/test_rcparams.py
@@ -278,6 +278,17 @@ def generate_validator_testcases(valid):
                   ('cycler("bleh, [])', ValueError),  # syntax error
                   ('Cycler("linewidth", [1, 2, 3])',
                    ValueError),  # only 'cycler()' function is allowed
+                  # do not allow dunder in string literals
+                  ("cycler('c', [j.__class__(j) for j in ['r', 'b']])",
+                   ValueError),
+                  ("cycler('c', [j. __class__(j) for j in ['r', 'b']])",
+                   ValueError),
+                  ("cycler('c', [j.\t__class__(j) for j in ['r', 'b']])",
+                   ValueError),
+                  ("cycler('c', [j.\u000c__class__(j) for j in ['r', 'b']])",
+                   ValueError),
+                  ("cycler('c', [j.__class__(j).lower() for j in ['r', 'b']])",
+                   ValueError),
                   ('1 + 2', ValueError),  # doesn't produce a Cycler object
                   ('os.system("echo Gotcha")', ValueError),  # os not available
                   ('import os', ValueError),  # should not be able to import
