Yet Another Command Line Parser
Alex Martelli
aleaxit at yahoo.com
Tue Oct 26 18:08:42 EDT 2004
Andrew Dalke <adalke at mindspring.com> wrote:
...
> > exec('func(' + _options + ')')
>
> > The only problem is that error messages are ugly.
>
> And it's a huge security hole. What if I did
>
> script.py "x=6)\
> import os
> os.system('ls -l')"
Not to defend exec (ugly thing it is), but in this case I'm not sure
what the security hole would be. If I enter that tricky commandline at
a shell prompt, it will be just as if i had executed the 'ls -l' at the
same shell prompt; weird, but where is the huge security hole? It's not
as if there were setuid shell scripts (is there...? I sure hope not!-).
IOW, what's the difference between that and the commandline
script.py 'x=6' && ls -l
for example? The latter is no security hole, after all.
I understand and agree with the other criticisms you extend to the OP's
code, but this one leaves me perplexed. exec is a huge security hole of
you're doing it on untrusted data, data supplied by somebody else than
the uid running the script; but how are commandline arguments
'untrusted'...?
Alex
More information about the Python-list
mailing list