Another scripting language implemented into Python itself?
Grant Edwards
grante at visi.com
Tue Jan 25 14:52:47 EST 2005
On 2005-01-25, Rocco Moretti <roccomoretti at hotpop.com> wrote:
> "import module" executes Python code. As such it can do
> anything Python can do. Crash your system, wipe the hard
> drive, etc.
Only if you run as root all the time -- and the same can be
said of any library routine you call.
> And there is nothing the importing code can do to stop it.
Nor is there anything you can to do stop libc from doing stuff.
> Now, if you limit yourself to known and trusted modules, that
> risk virtually disappears, just like staying on the sidewalk
> virtually eliminates the chances of getting hit by a bus. Not
> completely, mind you, since someone could have altered the
> standard library modules/changed the import path such that
> you're importing an unknown module. But most people would
> argue if someone has that power, they probably can do anything
> they want with your system without you doing "import module."
>
> Bottom line: Don't exec or eval untrusted code. Don't import untrusted
> modules.
I still don't see how that's any different for Python than for
any other language.
--
Grant Edwards grante Yow! I'm EXCITED!! I want
at a FLANK STEAK WEEK-END!! I
visi.com think I'm JULIA CHILD!!
More information about the Python-list
mailing list