SafePython (was: Migrating to perl?)
Cameron Laird
claird at starbase.neosoft.com
Fri Jan 5 08:57:15 EST 2001
In article <V%c56.4648$of7.221797 at news1.atl>,
Joel Ricker <joejava at dragonat.net> wrote:
.
.
.
>I thought of the question about security and the need for taint modes but
>then I realized since there may not be system calls like `del *.*` there
>might not be a need for it. I'm sure that if Python is in general use as a
>CGI language then those issues have been cleared up. Are there any thing
>you have to watch for like running in taint mode in perl?
Python *can* do unsafe things. Python can,
in particular, spawn more-or-less arbitrary
external processes.
Yes, there has been talk of a SafePython in
the past. To my embarrassment, I've utterly
forgetten what came of it. There certainly
are a lot of people computing Web pages with
Python, and very few of them think about
"taint" considerations. How can this be?
Although others will have to supply a deep
technical answer for now, I can quote Thomas
Wouters
<URL: http://deja.com/=dnc/getdoc.xp?AN=641788529 >
... a hostile environment ... is
entirely unlike Python's usual
environment. If you plan on programming
in such environments, you should take
care with your programs. Python will
not do the Right Thing each time, but
it also does not pretend it does. The
habit of throwing exceptions on errors
instead of returning an undefined value
and continuing on helps prevent a lot
of tight spots, though.
.
.
.
--
Cameron Laird <claird at NeoSoft.com>
Business: http://www.Phaseit.net
Personal: http://starbase.neosoft.com/~claird/home.html
More information about the Python-list
mailing list