input() is a security problem?
Dan Stromberg
strombrg at seki.acs.uci.edu
Mon Jun 4 17:58:03 EDT 2001
In the following program:
#!/dcs/packages/python-2.1/bin/python
var=12345
n=input('enter a number, or a variable name like "var": ')
print n
If one enters "var" at the prompt, one sees 12345.
This seems to be a problem for setuid python scripts that may have
access to data, stored in variables, that the user isn't supposed to
be able to see.
Yes, I know, use sys.stdin.readline() instead. I do. But... is
there really a good reason for input to access variables this way? It
seems an unnecessary pitfall.
--
Dan Stromberg UCI/NACS/DCS
More information about the Python-list
mailing list