Need some quick help here...
Zac Jensen
listbox at cybereal.org
Sun Jun 15 23:53:24 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have a bit of an issue in something I'm designing.
It's a security issue.
Here's what happens at the point of concern.
Arbitrary code is accepted to be run through an eval statement that looks like
eval(a_repr, {'__builtins__':None})
Anything could be in a_repr but, in the code that uses the return value of
eval, it will simply raise an exception if it's not a tuple that is returned.
Also, the string passed to eval will never include a real newline character,
\r and \n are automatically .replace()'d before eval() is called...
I'm looking for any example that could still cause problems, and optionaly a
suggested solution within the bounds of the problem.
Thanks in advance :)
- -Zac
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+7T83V3L7YsSif1URApTkAKCOGtOgU9Wsx+AreZOoiVYrIqo/WQCeMuui
0XSOVUkNKF5IfA+f2sQ125o=
=i6HC
-----END PGP SIGNATURE-----
More information about the Python-list
mailing list