Need some quick help here...
Moshe Zadka
m at moshez.org
Mon Jun 16 05:57:28 EDT 2003
On Sun, 15 Jun 2003, Zac Jensen <listbox at cybereal.org> wrote:
> I have a bit of an issue in something I'm designing.
> It's a security issue.
> Here's what happens at the point of concern.
> Arbitrary code is accepted to be run through an eval statement that looks
> like
> eval(a_repr, {'__builtins__':None})
At that point, you no longer have any security.
Really :)
> I'm looking for any example that could still cause problems, and optionaly a
> suggested solution within the bounds of the problem.
Use your OS security. Or, alternatively, a better serialization mechanism.
PS
a_repr="[[0]*100000 for x in [0]*100000]" took enough time that I gave
up. Are you willing to have your application hang for upwards than a minute?
While consuming lots of CPU and memory? I'm not saying that this is the
worse example, I just came up with it in playing around for a minute...
--
Moshe Zadka -- http://moshez.org/
Buffy: I don't like you hanging out with someone that... short.
Riley: Yeah, a lot of young people nowadays are experimenting with shortness.
Agile Programming Language -- http://www.python.org/
More information about the Python-list
mailing list