[bccdee]

That's a bad thing, though. You should not be `eval`-ing your config file, much less untrusted messages.

[attila-lendvai]

you don't need to call eval for the usual config file setup, only read.

(but you often get something much better when config files are plain lisp code; i.e. they are eval'ed, assuming that the threat model allows it)

[evdubs]

I am not so sure how it works, but you can define your own evaluation handler for `eval` which, I assume, can be as restrictive as you need if you're dealing with untrusted data.

[bccdee]

Seems simpler just to use `json.load`.