From a8bf44d04915f7366d9f8dfbf84822ac37a4bab3 Mon Sep 17 00:00:00 2001
From: Florian Bruhin <me@the-compiler.org>
Date: Tue, 6 Oct 2020 16:21:56 +0200
Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP
 in the UnicodeNames tests (GH-22575)

Similarly to GH-22566, those tests called eval() on content received via
HTTP in test_named_sequences_full. This likely isn't exploitable because
unicodedata.lookup(seqname) is called before self.checkletter(seqname,
None) - thus any string which isn't a valid unicode character name
wouldn't ever reach the checkletter method.

Still, it's probably better to be safe than sorry.
---
 Lib/test/test_ucn.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Lib/test/test_ucn.py b/Lib/test/test_ucn.py
index e95f911d8ee..cbfd5af2bb7 100644
--- a/Lib/test/test_ucn.py
+++ b/Lib/test/test_ucn.py
@@ -7,6 +7,7 @@
 
 """#"
 
+import ast
 import unittest
 import unicodedata
 
@@ -24,7 +25,7 @@ def checkletter(self, name, code):
         # Helper that put all \N escapes inside eval'd raw strings,
         # to make sure this script runs even if the compiler
         # chokes on \N escapes
-        res = eval(r'"\N{%s}"' % name)
+        res = ast.literal_eval(r'"\N{%s}"' % name)
         self.assertEqual(res, code)
         return res