Replace eval with ast.literal_eval

[EpicWink]

Reducing security risk of running arbitrary code.

Resolves #1056

[Gallaecio]

There is no such a risk here, since the input is safe. And while I am all for removing the use of eval, ast.literal_eval does not seem like much of an improvement. I think the goal of #1056 should be to avoid Python code evaluation in the first place.

[EpicWink]

Input is likely safe, but it's still a file which can be changed by any other program without the user noticing. ast.literal_eval has the benefit of only loading basic (literal) values, with the only "security concern" being DoS.

Perhaps instead you could load values as YAML: True and False are valid YAML values for True and False.

[Gallaecio]

Yes, or lower-case them and use JSON (since there is no built-in YAML support). Of True if value == "True" else False.

I have not looked into the source of the values or into whether or not other values besides those 2 are possible.

[EpicWink]

In my own projects, I use:

is_true = string_value.lower() not in {"", "0", "n", "no", "off", "false"}