Another scripting language implemented into Python itself?

[Grant Edwards]

On 2005-01-25, Rocco Moretti <roccomoretti at hotpop.com> wrote:

> "import module" executes Python code. As such it can do
> anything Python can do. Crash your system, wipe the hard
> drive, etc.

Only if you run as root all the time -- and the same can be
said of any library routine you call.

> And there is nothing the importing code can do to stop it.

Nor is there anything you can to do stop libc from doing stuff.

> Now, if you limit yourself to known and trusted modules, that
> risk virtually disappears, just like staying on the sidewalk
> virtually eliminates the chances of getting hit by a bus. Not
> completely, mind you, since someone could have altered the 
> standard library modules/changed the import path such that
> you're importing an unknown module. But most people would
> argue if someone has that power, they probably can do anything
> they want with your system without you doing "import module."
>
> Bottom line: Don't exec or eval untrusted code. Don't import untrusted 
> modules.

I still don't see how that's any different for Python than for
any other language.

-- 
Grant Edwards                   grante             Yow!  I'm EXCITED!! I want
                                  at               a FLANK STEAK WEEK-END!! I
                               visi.com            think I'm JULIA CHILD!!