eval vs. exec
Kragen Sitaker
kragen at pobox.com
Tue May 28 18:22:43 EDT 2002
Hans Nowak <wurmy at earthlink.net> writes:
> Simon Budig wrote:
> > The strings are from an external source, so I have no control over them.
>
> In that case, Alexander's remark about security risks with eval
> and exec are on point. Don't do this.
Whether or not your program can trust input is a separate issue from
whether or not it can control that input. Not all user input is
untrusted; in particular, if your program has no privileges not also
possessed by the sender of the input, it is safe to trust that input.
Be aware that the sender of the input may not be who you think it is,
though. A PostScript viewer might have input supplied by anybody who
wrote a PostScript document the user thinks they want to read, for
example.
More information about the Python-list
mailing list