Python 2.3b1: RuntimeError using rexec
Jeremy Fincher
tweedgeezer at hotmail.com
Wed Apr 30 00:32:45 EDT 2003
martin at v.loewis.de (Martin v. Löwis) wrote in message news:<m31xzl6pac.fsf at mira.informatik.hu-berlin.de>...
> eval should work, but it won't be safe if you cannot trust the string.
I'm curious, if the string was eval'ed in an environment that included
nothing except an empty __builtins__, would there be any non-DoS
security hole? Obviously the attack could DoS by making some value
10**10**10**10 or something, but is there any actual *security* breach
possible?
Jeremy
More information about the Python-list
mailing list