Another scripting language implemented into Python itself?
Rocco Moretti
roccomoretti at hotpop.com
Tue Jan 25 14:25:57 EST 2005
Bob Smith wrote:
> Rocco Moretti wrote:
>
>> Python's also dangerous. Every time you do an "import module", you put
>> your system at risk of crashing, having the hard-drive wiped
>
> Have you been drinking again?
No, not really. The "every time" comment should be viewed in the same
light as "Every time you step outside, you risk being hit by a bus."
"import module" executes Python code. As such it can do anything Python
can do. Crash your system, wipe the hard drive, etc. And there is
nothing the importing code can do to stop it. Now, if you limit yourself
to known and trusted modules, that risk virtually disappears, just like
staying on the sidewalk virtually eliminates the chances of getting hit
by a bus. Not completely, mind you, since someone could have altered the
standard library modules/changed the import path such that you're
importing an unknown module. But most people would argue if someone has
that power, they probably can do anything they want with your system
without you doing "import module."
Bottom line: Don't exec or eval untrusted code. Don't import untrusted
modules.
More information about the Python-list
mailing list