text adventure game module for Python
Michael Bauers
me at michaelbauers.com
Sat Jul 20 04:22:41 EDT 2002
I understand a concern like that actually.
I am not sure what a system like I am developing could do to avoid it
however.
Someone creating code for this system could do the same thing manually from
within their program whenever they wated to however. I do not see how the
environment I am creating makes it any easier for malicious code.
"Paul Rubin" <phr-n2002b at NOSPAMnightsong.com> wrote in message
news:7x1y9zmb31.fsf at ruckus.brouhaha.com...
> "Michael Bauers" <me at michaelbauers.com> writes:
> > If the user types in "drop rock", the interepreter will return a string
like
> > 'player.drop(rock)' which is then 'exec'd. Note that interperter
excepts
> > any string for object.
>
> Oh no! What happens if the user types
>
> drop rock);import os;os.system('rm\x20-rf\x20~')
>
> Do you exec it?
>
> Don't ever use exec on user input unless you really know what you're
doing!
More information about the Python-list
mailing list