Security/Safety question re: eval() and dicts
holger krekel
pyth at devel.trillke.net
Sat Jan 25 19:18:13 EST 2003
andy wrote:
> This is probably one for the Language Lawyers and Zen Pythonistas out there...
>
> I'm still working (as time permits) on the 'repository' module I mentioned a
> few weeks ago.
>
> I've renamed it 'chalkboard' to better convey its purpose, and subtitled it
> 'lightweight remote shared dictionary' to further underline its
> insignificance as an industrial-strength mission-critical utility module :-)
i like that one :-)
> Still, I don't want the security side to be totally crap, so I thought I'd
> better try to plug it's most glaring hole of all...
You really have to define the threat you want to attack against.
"security" has no real meaning except as a buzzword which everybody
pretends to know about. I mean do you want to attack against a
dictionary with 'evil' values? How do you define 'evil', then,
as 'crashing your interpreter' or 'silently changing data'?
I would rather keep it simple and let users worry about an
appropriate security model.
have fun,
holger
More information about the Python-list
mailing list