Converting a hex string to a number
Gerhard Häring
gerhard.haering at gmx.de
Tue Jul 9 19:17:08 EDT 2002
Simon Foster wrote in comp.lang.python:
> Huaiyu Zhu wrote:
>>Simon Foster <simon at uggs.demon.co.uk> wrote:
>>>On Tue, 9 Jul 2002 15:23:49 +0200, "Bo M. Maryniuck" wrote:
>>>>On Tuesday 09 July 2002 14:43, Simon.Foster at smiths-aerospace.com wrote:
>>>>> eval!
>>>>Overkill. Unsafe. Ugly. Lame.
>>>What do you mean by unsafe?
>>Something like the following could happen (don't try it!)
>># eval('system("rm -rf /")')
> You seem to be mistaking me for an idiot.
This is not about taking anybody for an idiot. It's about wether you
can trust the source you get your data from 100 %. One typical example
where you can not is if its part of a form submitted via CGI.
Using exec or eval without explicit dictionaries _is_ dangerous, if
you can't absolutely trust the data.
Gerhard
--
mail: gerhard <at> bigfoot <dot> de registered Linux user #64239
web: http://www.cs.fhm.edu/~ifw00065/ OpenPGP public key id AD24C930
public key fingerprint: 3FCC 8700 3012 0A9E B0C9 3667 814B 9CAA AD24 C930
reduce(lambda x,y:x+y,map(lambda x:chr(ord(x)^42),tuple('zS^BED\nX_FOY\x0b')))
More information about the Python-list
mailing list