Convert String to Dictionary question
Christian Tanzer
tanzer at swing.co.at
Sun Feb 17 02:52:00 EST 2002
"Jason Orendorff" <jason at jorendorff.com> wrote:
> > > It seems to me that security is a compelling reason to choose
> > > pickle() over eval(). Am I wrong?
> >
> > With regard to eval, yes. Check out the two optional arguments to
> > eval, before spreading FUD.
>
> Well, the bottom line is: If I'm looking for a vulnerability in
> an app, I'm searching for calls to eval(), not pickle.
>
> For example, the idiom you suggested elsewhere in this thread:
> >>> eval ("""os.system ("echo 'kilroy'")""", {}, {})
>
> is actually exploitable:
> >>> s = "__import__('os').system('echo kilroy')"
> >>> eval (s, {}, {})
> kilroy
> 0
I stand corrected. And I'd like to apologize for being a bit rude.
That one is easily plugged though:
>>> eval (s, {"__builtins__" : {}},{})
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File "<string>", line 0, in ?
NameError: name '__import__' is not defined
> Whereas there are no known security holes in pickle.
Not true.
To wrap this up, writing secure applications is hard -- and rules of
thumb like `eval is bad, pickle is good` aren't going to make it any
easier.
--
Christian Tanzer tanzer at swing.co.at
Glasauergasse 32 Tel: +43 1 876 62 36
A-1130 Vienna, Austria Fax: +43 1 877 66 92
More information about the Python-list
mailing list