We were using eval() to parse incoming requests. This runs arbitrary code, so anyone who discovers the port number could run code as xcal/xcaltst. Even if we're not concerned about that, it makes the system harder to understand, because theoretically a valid request could include a function call that runs when it's eval-ed.
Looking at the scripts in this repo and the code in myMDC, I believe that requests are always Python literals (specifically, lists/tuples of strings). So we can use the safe ast.literal_eval() function to parse them.
Using JSON would be a nicer approach (mentioned in detectors/calibration_workshop#261), but that would involve changes to the code making requests as well. Using literal_eval is an easy change because it doesn't require any coordination with other code.
Deployed on max-exfl017, tested submitting one run for correction and one dark calibration job (involving 3 runs) from mymdc test environment.