RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/pandas-dev/pandas/issues/47084 below:

eval and query ignore empty local_dict and global_dict · Issue #47084 · pandas-dev/pandas · GitHub

Pandas version checks

I have checked that this issue has not already been reported.
I have confirmed this bug exists on the latest version of pandas.
I have confirmed this bug exists on the main branch of pandas.

Reproducible Example

import pandas as pd
df = pd.DataFrame([[1,2], [1,2]], columns=["a", "b"])
df.eval("c = @df.a + @df.b", local_dict={}, global_dict={})

a b c
0 1 2 3
1 1 2 3

Issue Description

If someone was to pass empty dictionaries into local_dict and global_dict kwargs of pd.eval, df.eval or df.query, it would work as if None was passed instead (i.e. actual scope would be populated with current frame locals and globals). This is an unexpected behavior and a security concern.

The reason behind this is an incorrect check of argument None equality there and there. If user passes global_dict={}, the following happens: global_dict or frame.f_globals => {} or frame.f_globals => False or frame.f_globals => frame.f_globals and the same with local_dict later on.

Expected Behavior

import pandas as pd
df = pd.DataFrame([[1,2], [1,2]], columns=["a", "b"])
df.eval("c = @df.a + @df.b", local_dict={}, global_dict={})

UndefinedVariableError: Undefined variable 'df'

Or a similar error

Installed Versions INSTALLED VERSIONS

commit : 1be9d38
python : 3.9.7.final.0
python-bits : 64
OS : Linux
OS-release : 5.17.5-76051705-generic
Version : #202204271406 165150484021.10~63e51bd SMP PREEMPT Mon May 2 15:
machine : x86_64
processor : x86_64
byteorder : little
LC_ALL : None
LANG : en_US.UTF-8
LOCALE : en_US.UTF-8

pandas : 1.5.0.dev0+798.g1be9d3868f
numpy : 1.21.3
pytz : 2021.1
dateutil : 2.8.2
pip : 20.3.4
setuptools : 52.0.0
Cython : 0.29.30
pytest : 6.2.5
hypothesis : 6.46.7
sphinx : 4.5.0
blosc : 1.10.6
feather : None
xlsxwriter : 3.0.3
lxml.etree : 4.6.3
html5lib : 1.1
pymysql : None
psycopg2 : None
jinja2 : 3.1.1
IPython : 7.33.0
pandas_datareader: None
bs4 : 4.9.3
bottleneck : 1.3.4
brotli : None
fastparquet : 0.7.2
fsspec : 2022.5.0
gcsfs : 2022.5.0
matplotlib : 3.4.3
numba : 0.53.1
numexpr : 2.8.1
odfpy : None
openpyxl : 3.0.10
pandas_gbq : None
pyarrow : 7.0.0
pyreadstat : 1.1.6
pyxlsb : None
s3fs : 0.6.0
scipy : 1.7.3
snappy :
sqlalchemy : 1.4.36
tables : 3.7.0
tabulate : 0.8.9
xarray : 2022.3.0
xlrd : 2.0.1
xlwt : 1.3.0
zstandard : None

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4